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Welcome to (IN)SECURE 27 
the digital security magazine 




As lowering temperatures signal the last days of summer, many of you are already behind your 
workstations tackling new threats and looking fondly back at the days at the beach. You're not 
alone, the security landscape is evidently waking up, as both black hats and white hats are back 
at their keyboards. 



During the past few months we've been sorting through a significant number of article 
submissions. The result is another issue of (IN)SECURE we think you'll enjoy. 

While wrapping up on this issue, we finalized our travel plans to attend EN ISA's Summer School 
on Network and Information Security in Greece, SOURCE Conference in Barcelona and BruCON 
in Brussels. This means we'll be seeing many of you during September and listening to a myriad 
of inspiring talks. It's going to be an stimulating month! 

Mirko Zorz 
Editor in Chief 



Visit the magazine website at www.insecuremag.com 
(IN)SECURE Magazine contacts 
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document. Distribution of modified versions of (IN)SECURE Magazine content is prohibited 
without the explicit permission from the editor. 
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Security world 



The dramatic increase of vulnerability disclosures 




Vulnerability disclosures are increasing dramatically, having reached record levels 
for the first half of 2010, according to IBM. Overall, 4,396 new vulnerabilities were 
documented by the X-Force team in the first half of 2010, a 36% increase over the 
same time period last year. 55% of all these disclosed vulnerabilities had no 
vendor-supplied patch at the end of the period, (www.ibm.com) 



Novell releases Cloud Security Service 

Novell announced the general availability of their Cloud Security Service, 
hosted in the cloud, either where the provider hosts its application or via a No- 
vell hosting partner. A user can log on directly or via the enterprise identity sys- 
tem. The service first verifies the identity and, if successful, will generate an 
identity token in the format needed by the SaaS provider, (www.novell.com) 



Microsoft releases mitigating tool for latest 0-day bug 



HD Moore, creator of Metasploit, revealed that some 40 Windows applica- 
tions are affected by a critical vulnerability that can allow attackers to execute 
malicious code remotely and infect the computers with malware. Microsoft 
released a tool that mitigates the risk by altering the library loading behavior 
system-wide or for specific applications, (www.microsoft.com) 
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New software for smarter security and compliance management 



IBM announced new software to deliver security and compliance to 
thousands of computers globally, automating some of the most time- 
intensive IT tasks. The new software, delivered through IBM's BigFix 
acquisition, provides built-in intelligence that identifies all of a com- 
pany's PCs, laptops, servers, point-of-sale and virtualized devices, 
then flags when devices are not in compliance, (www.bigfix.com) 




The first cloud computing solution to achieve PCI compliance 



3? 



Verizon Computing as a Service, or CaaS, the company's cloud computing solution 
is the first cloud-based solution to successfully complete the Payment Card Indus- 
try Data Security Standard (PCI DSS) audit for storing, processing and transmitting 
credit card information, (www.verizonbusiness.com) 



DEFCON survey reveals vast scale of cloud hacking 

An in-depth survey carried out amongst 100 of those attending this year's DEF- 
CON conference in Las Vegas recently has revealed that an overwhelming 96 per- 
cent of the respondents said they believed the cloud would open up more hacking 
opportunities for them, (www.fortify.com) 




Intel to acquire McAfee 

Intel Corporation has entered into a definitive agreement to acquire McAfee for 
approximately $7.68 billion. Both boards of directors have unanimously ap- 
proved the deal, which is expected to close after McAfee shareholder approval, 
regulatory clearances and other customary conditions specified in the agree- 
ment. (www.intel.com) 




Resourceful attackers continue to make the web insecure 

Attackers are staying one step ahead of the game and enterprises are struggling 
to keep up, according to a report by Zscaler. During the second quarter of 2010, 
attackers once again took advantage of opportunities just as quickly as they 
emerged. These opportunities included both the emergence of new vulnerabilities 
in popular technologies as well as current events that drew the attention of mil- 
lions around the globe, (www.zscaler.com) 



Secure remote access for Mac users 





HOB launched MacGate, a new secure remote access solution designed specifically 
for Mac users. It provides users with access to computers running Mac, especially 
graphics workstations, on a corporate network either through a LAN or over the 
Internet, (www.hobsoft.com) 
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Employees admit they would steal data when leaving a job 



Employees openly admit they would take company data, including customer 
data and product plans, when leaving a job, according to Harris Interactive. 
The online survey probed 1 ,594 full- and part-time employees and contrac- 
tors in the United States and Great Britain about their attitudes toward ac- 
cessing and viewing of company-owned data, (www.harrisinteractive.com) 




Publicly trusted secure e-mail certificates 



Entrust adds publicly trusted secure e-mail certificates to its certificate man- 
agement service, enabling digital signature capabilities and encryption of e- 
mails and other documents. Based on the X.509 certificate standard, Entrust 
Secure E-mail Certificates enable standards-based S/MIME capabilities. 

(www.entrust.com) 



PCI standard changes ahead 



The PCI Security Standards Council published documentation highlighting the 
expected changes to be introduced with version 2.0 of the PCI DSS and PA-DSS 
in October 2010. Version 2.0 of PCI DSS and version 2.0 of PA-DSS do not in- 
troduce any new major requirements, (www.pcisecuritystandards.org) 




Millions of Coldfusion sites need to apply patches 





ProCheckUp were able to access every file including username and passwords 
from a server running ColdFusion. This was completed through a directory tra- 
versal and file retrieval flaw found within ColdFusion administrator. A standard 
web browser was used to carry out the attack, knowledge of the admin password 
is not needed, (www.procheckup.com) 



D-Link routers get DNSSEC and CAPTCHA protection 



D-Link enhanced its router security by incorporating both CAPTCHA 
and DNSSEC to guard against hacking, worms, viruses and other 
malicious Web attacks, (www.dlink.com) 



Loss of personal information as stressful as losing a job 

yjjpldJll 1 1 Americans feel most vulnerable about the loss or theft of their personal or fi- 
i fI/7/tafJl/jLL i nancial information. Fifty-four percent of Americans said the prospect of losing 
this data "extremely concerned" them (based on a rating of eight or higher on 
a 10-point scale). Losing personal or financial information ranked similar to 
concern over job loss (53 percent) and not being able to provide healthcare 
for their family (51 percent), (www.antiphishing.org) 
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Security check for broadband home routers 

Attackers are increasingly targeting home routers as a means of gaining 
access to sensitive personal data. To help combat this threat, ICSA Labs 
is offering a new program under which manufacturers can have broad- 
band home routers certified. The program, Broadband Home Router Cer- 
tification, evaluates a router's effectiveness in identifying safe versus harm 
ful data, and denying access to malicious data, (www.icsalabs.com) 



64GB secure portable USB drive 



MXI Security offers a 64GB device for its Stealth line of 
secure USB devices, suited for customers that require 
devices for the secure portable desktop that allows you 
to natively boot Microsoft Windows from a Stealth USB 
device, (www.mxisecurity.com) 



Wipe technology for self-encrypting disk drives 

Toshiba announced Wipe for Toshiba Self-Encrypting Drive models, a technol 
ogy that allows special security capabilities, such as the world's first ability for 
sensitive user data to be securely erased when a system is powered-down or 
when a SED HDD is removed from the system, (www.toshiba.com) 



Free protection against Blackhat SEO threats 

AZscaler released Search Engine Security, a free solution specifically designed to 
combat Blackhat SEO attacks. With a typical anti-virus detection rate below 25% 
for such attacks, the protection provided by this solution can be a valuable asset in 
keeping PCs from falling victim to Blackhat SEO attacks, (www.zscaler.com) 



Former SF network admin Terry Childs sentenced to prison 

After a drawn out trial that saw City of San Francisco administrator Terry Childs be- 
ing convicted of violating California state hacking laws by deliberately locking the 
authorities out of the city's FiberWAN network by refusing to disclose administrative 
passwords, he has finally been sentenced to four years in prison. 



Private browsing modes not as private as one might wish 

The four most used web browsers - Internet Explorer, Firefox, Chrome and Safari - 
all have private browsing modes. Yes, they are designed to delete the most obvious 
signs of online activity such as cookies, browsing history and the browser's cache, 
but is that enough to keep your surfing habits hidden from interested parties? 
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Order today and protect your physical and 
electronic systems from attack! 




Available at Syngress.com, amazon.com or your favorite online retailer! 
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Review: BlockMaster SafeStick SuperSonic 

by Mark Woodstone 



Swedish company BlockMaster is a new player on the secure USB flash 
drives market. Their flagship products include SafeStick USB drive and Safe- 
Console platform for centralized USB management. I have been using their 8 
GB SafeStick drive for half a year now and I like the combination of the prod- 
uct's performance and its capability of working on multiple platforms. 



I use SafeStick SuperSonic, an upgraded ver- 
sion of the baseline secure USB product. This 
ultra fast device comes in sizes of 4 and 8 Gi- 
gabytes, while the regular ones can reach a 
size of up to 128GB. 

Although the company web site labels the de- 
vice as "the world's fastest USB flash drive", I 
think they forgot to add the word "secure" into 
the statement. The benchmarks that inspired 
the catchy title compared SuperSonic with 
other encrypted USB drives, not with USB 
flash drives in general. 

According to the benchmark tests from inde- 
pendent labs (unfortunately not specified), the 
tested SafeStick SuperSonic 4GB has the 



overall best results when compared to the 
"plain" SafeStick and three other unnamed 
competitors. 

Methodologies used include classic copying 
of file to the device, using ATTO Disk Bench- 
mark and Harald Bogeholz's H2testw. The 
benchmark report can be downloaded on the 
following web page: http://tinyurl.com/3xdfkro. 
Although I didn't do any speed tests, from my 
active usage I can say that performance is 
good and it seems to be working faster than 
similar devices I have used in the past. 

SafeStick SuperSonic has a slick slim chassis 
and it seems to be quite rugged. 
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BlockMaster did a number of tests on it in- 
cluding whacking it with a sledgehammer, roll- 
ing over it with a V8 Range Rover, and even 
washing it repeatedly in the washing machine 
under high temperatures. 

When I read this, I was tempted to try out 
some destructive ideas of my own, but 
common sense prevailed. 



As a side note: you can look for these "at- 
tacks" on SafeStick's integrity on YouTube. 

From the security point of view, SafeStick Su- 
perSonic sports an always-on automatic 
hardware AES256 encryption in CBC mode. 
The encryption keys are generated on board 
the device in the user setup procedure. After 
you authenticate, the device acts just like your 
typical USB flash drive. 




SafeStick 



® 




I mentioned earlier that it works on multiple 
platforms. When you plug the drive into your 
Windows machine it automatically provides 
you with a login application - you enter your 
password and it's ready for you to use. Mac 
OS X users need to download a small (1 .6 
MB) software package that provides the same 
functionality. 

SafeStick SuperSonic is ready for the enter- 
prise through the SafeConsole centralized 



USB management platform, which has the 
power to serve 100,000+ SafeStick deploy- 
ments. 

Cons: slight overheating when connected to 
some external USB hubs. 

Pros: performance, slim design, works on 
both Windows and Mac OS X, enterprise 
ready. 



Mark Woodstone is a security consultant that works for a large Internet Presence Provider (IPP) that serves 
about 4000 clients from 30 countries worldwide. 
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The devil is in the details: 
Securing the enterprise 
against the cloud 

by Michael Leland 




Network visibility continues to be a necessary and important part of informa- 
tion security, but in this era of social networks and Web 2.0 it is no longer en- 
tirely sufficient. The main problem is that content continues to move away 
from corporate servers, into the less visible and manageable cloud. Because 
of this shift, the ways in which we monitor and secure our business applica- 
tions must also change. 



The cloud remains difficult to secure for many 
reasons: the computing platform is highly dis- 
tributed; the platforms are often virtual; but 
perhaps the most challenging quality is its di- 
versity. Cloud services can theoretically be 
accessed by anyone, from anywhere, putting 
the security onus almost exclusively on user 
authentication. 

Whether or not the cloud can ever be truly se- 
cured is a matter of debate: even if it's possi- 
ble to control access to cloud services, en- 
forcing behavior in the cloud can be extremely 
difficult. 

Discussions about cloud security often focus 
on strong authentication and trying to protect 
the cloud service itself, but let's forget for a 



moment the issue of securing the cloud and 
think about what else connects to it. 

Does the cloud connect back to anything 
within your enterprise network? It is becoming 
commonplace for companies to use a web- 
based CRM - it's an excellent service and 
provides lots of value. However, those com- 
panies also host their own corporate web 
servers, and have tightly integrated their in- 
tranets with their customer-facing CRM, in or- 
der to deliver valuable internal tools for 
business intelligence. 

The integration is done the correct way, using 
published APIs. The web servers themselves 
are protected behind firewalls and intrusion 
prevention systems, so the assumption is that 
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everything is safe. But is their cloud-based 
CRM fully secured? And more importantly, if it 
were to be compromised, could it be used to 
access my web server using the legitimate 
account credentials and security tokens of the 
API? 

The short answer is: yes, it could. 

This is just one example, of course. There are 
numerous ways to tie cloud based services 
back into our enterprise data centers, and the 
simplest advice for avoiding the introduction 
of open backdoors to our otherwise secured 
networks is to avoid implementing those con- 
nections in the first place. 

However, as companies grow more depend- 
ent upon web-based services in order to 
make their own distributed workforce more 
efficient, that advice becomes hard to follow. 
Let's face it: being able to access and track a 
customer's order via their intranet login is a 



good thing, and being able to gauge produc- 
tivity of your manufacturing or assess the 
market acceptance of a product line from a 
web-based dashboard can be extremely help- 
ful. That means tying the two (or more) sys- 
tems together, and that means introducing 
new risks. 

So what can we do? If we could see how our 
internal systems were interacting with other 
users, services, and applications on the net- 
work, we could proactively watch these back- 
doors. We could make sure that inbound con- 
nections from the cloud were being used ap- 
propriately, by legitimate accounts, and for 
legitimate reasons. 

The bad news is that this level of monitoring 
requires full application session decoding, in 
order to analyze the actual contents of those 
connections at the application layer. The good 
news is that this advanced technology exists 
today. 



THERE ARE NUMEROUS WAYS TO TIE CLOUD BASED SERVICES BACK INTO 
OUR ENTERPRISE DATA CENTERS, AND THE SIMPLEST ADVICE FOR AVOID- 
ING THE INTRODUCTION OF OPEN BACKDOORS TO OUR OTHERWISE SE- 
CURED NETWORKS IS TO AVOID IMPLEMENTING THOSE CONNECTIONS IN 

THE FIRST PLACE. 



Understand the connection 

Unlike typical networks, which are dependent 
upon the physical, datalink and network layers 
to establish a connection, cloud services are 
more likely to be delivered (and authenti- 
cated) over a web browser or some other ap- 
plication. They're abstracted away from the 
network, and operate more at the session and 
application layer. 

This means that you not only need to look at 
connectivity as something that occurs "further 
up the stack," but you also need to fully un- 
derstand how that connectivity should be- 
have, as well as how it is behaving. 

Authentication should be strict and hard, and 
as much additional context as possible should 
be applied to it. That authentication should 
also never be trusted, because when an at- 
tack comes in from the cloud, there's a good 



chance that it will be using trusted accounts 
and certificates. 

This is where an analytical tool such as a 
SIEM (Security Information and Event Man- 
ager) comes into play, because you need to 
collect user access information from the serv- 
ice itself, correlate that to your own user 
authentication system, establish baseline be- 
haviors and policies, and set up alerting to in- 
form you when something suspicious is going 
on. In other words, you need to correlate 
events and behavior from both the cloud and 
your enterprise network. 

To gain real insight, that correlation will incor- 
porate the monitored behavior of the connec- 
tion between the two environments. That's an 
enormous amount of data correlation, and re- 
quires automation to make it operational. 
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Monitor the connection 

Understanding the nature of how cloud serv- 
ices authenticate and connect enables you to 
monitor those connections appropriately. A 
new type of monitoring is required to enable 
security analysts to look inside the contents of 
applications in order to enforce data access 
and usage policies that are being mandated 
by SOX, PCI, HIPAAand other compliance 
regulations. 

We're already looking at the cloud server logs 
(which should be collected locally by your en- 
terprise SIEM), your own identity and access 
management (1AM) system, and - to the best 
of your abilities - network connections be- 
tween the outside world and the cloud. The 
next step is to implement layer 7 application 
monitoring, to look inside those connections 
to ensure that the connection is legitimate and 
not spoofed; that the user is not transferring 
sensitive information to or from the cloud; and 
look for any number of other suspicious activi- 
ties that occur within a session once it has 
been established. 

Again, you'll want some heavy-lifting analytic 
tools in your corner to help automate this, and 
to correlate everything together. You'll also 
need a layer 7 monitoring device that can ac- 
tually decode and inspect the contents of 
applications. 

The details 

While these tools are available today - in the 
form of application data monitors, content 
firewalls, DLP, other data-inspection products, 
and SIEMs - products alone can't secure the 
cloud. Application monitoring gives you visibil- 
ity up through layer 7, but that visibility doesn't 
do you any good if you don't know what 
you're looking for. 

Are the underlying protocols legitimate? Have 
sessions been established correctly? Once a 
session is established, what is the user doing, 
and does that behavior indicate any type of 
risk? 



Take the time to tune your monitoring and 
alerting tools according to your own usage 
policies, and you'll be able to monitor applica- 
tion use within the context of your own inter- 
nal usage policies, not to mention whatever 
compliance requirements you are held to. 

The devil 

If you manage to control and monitor all ac- 
cess to your cloud service, you'll be faced 
with an additional challenge: encryption. 
When re-directing and monitoring outside ac- 
cess, you'll need to decrypt that session 
before it can be monitored. 

Internally, you have your own certificates and 
can simply terminate the secure connection 
prior to monitoring. When things aren't in your 
control - and they rarely are when dealing 
with virtualized, distributing computing - it 
means that you need to find another way to 
unlock those sessions. 

Is it appropriate to recommend implementing 
a man-in-the-middle within your own network? 
Using an SSL decoding appliance industrial- 
izes the process somewhat, making it seem 
more legitimate, but the truth is that you have 
to act a bit like the devil in order to get the 
details. 

The good news is that there's hope. With a 
little effort to control how cloud services are 
accessed, and by correctly monitoring that 
access, it's possible to regain a clear picture 
of how your applications and information are 
being used, in order to truly defend against 
data loss and theft. 

• Collect logs from your cloud server(s), espe- 
cially those involving user access and activity 

• Establish a whitelist of authorized users and 
privileges from your own authentication sys- 
tem 

• Monitor traffic aggressively so that you have 
as much data as possible about cloud activity 

• Centralize everything, correlating network-, 
user- and application-level activity together. 



Michael Leland serves the office of the CTO at NitroSecurity (www.nitrosecurity.com). He is responsible for 
developing and implementing the company's overall technology vision and roadmap including next-generation 
network and security management solutions. 
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Latest additions to our bookshelf 



ModSecurity Handbook 

By Ivan Ristic 

Feisty Duck, ISBN: 1907117024 



MODSECURITY 
HANDBOOK 




■IBS!? 



ModSecurity Handbook is the definitive guide to ModSecurity a popular open 
source web application firewall. Written by Ivan Ristic, who designed and 
wrote much of ModSecurity, this book will teach you everything you need to 
know to monitor the activity on your web sites and protect them from attack. 
The book is suitable for all reader levels: it contains step-by-step installation 
and configuration instructions for those just starting out, as well as detailed 
explanations of the internals and discussion of advanced techniques for 
seasoned users. Includes the official ModSecurity Reference Manual. 



Eleventh Hour Network+: Exam N1 0-004 Study Guide 

By Naomi Alpern 

Syngress, ISBN: 1597494283 



The 11th Hour Network-i- Study Guide is keyed to the N 10-004 revision of the 
CompTIA Network+ exam. This book is streamlined to include only core 
certification information and is presented for ease of last-minute studying. Main 
objectives of the exam are covered with key concepts highlighted: Fast Facts 
quickly review fundamentals, Exam Warnings highlight particularly tough 
sections of the exam, Crunch Time sidebars point out key concepts to 
remember, Did You Know? sidebars cover sometimes forgotten details, Top 
Five Toughest Questions and answers help you to prepare. 
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Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security 

Appliance (2nd Edition) 

By Jazib Frahim and Omar Santos 

1587058197 

This book is Cisco's authoritative practitioner's guide to planning, deploying, 
managing, and troubleshooting security with Cisco ASA. Readers will learn 
about the Cisco ASA Firewall solution and capabilities; secure configuration 
and troubleshooting of site-to-site and remote access VPNs; Intrusion 
Prevention System features built into Cisco ASA's Advanced Inspection and 
Prevention Security Services Module (AIP-SSM); and Anti-X features in the 
ASA Content Security and Control Security Services Module (CSC-SSM). 
This new edition has been updated with detailed information on the latest 
ASA models and features. 

CompTIA Linux+ Certification Study Guide (2009 Exam): Exam XKO-003 
By Brian Barber, Chris Happel, Terrence V. Lillard, Graham Speake 

Syngress, ISBN: 1597494828 

CompTIA's Linux+ certification is a globally-recognized, vendor neutral exam. 
The Linux-i- exam (XK1-003) is a substantive revision with updates on 
applications, networking, and security. This new study guide is aligned to cover 
all of the material of the updated 2009 exam with special attention to the new 
topics including troubleshooting Web-related services, understanding DNS 
record types and resolving them, and the basics of SELinux security. 
The study guide will cover installing applications, configuring the base system, 
using BASH, and securing and maintaining Linux. 

Windows Server 2008 Administrator's Pocket Consultant 

By William R. Stanek 

Microsoft Press, ISBN: 0735624372 

Designed for quick referencing, this portable guide covers all the essentials for 
performing everyday system administration tasks. You'll discover how to manage 
workstations and servers, use Microsoft Active Directory directory service, create 
and administer user and group accounts, manage files and directories, back up 
and recover data, and use TCP/IP, WINS, and DNS for network administration. 
Featuring quick-reference tables, concise lists, and step-by-step instructions, this 
handy, one-stop guide provides fast, accurate answers on the spot whether 
you're at your desk or in the field. 

Eleventh Hour Linux+: Exam XKO-003 Study Guide 

By Graham Speake, Brian Barber, Chris Happel and Terrence V. Lillard 

Syngress, ISBN: 1597494976 

The 11th Hour Linux+ Study Guide is keyed to the XKO-003 revision of the 
CompTIA Linux+exam. This book is streamlined to include only core 
certification information and is presented for ease of last-minute studying. Main 
objectives of the exam are covered with key concepts highlighted: Fast Facts 
quickly review fundamentals, Exam Warnings highlight particularly tough 
sections of the exam, Crunch Time sidebars point out key concepts to 
remember, Did You Know? sidebars cover sometimes forgotten details, Top 
Five Toughest Questions and answers help you to prepare. 



Cisco Press, ISBN: 
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RSACONFERENCE 

EUROPE 2010 
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5ECURITY DECODED 



Deciphering our changing security landscape gets more 
daunting by the day. RSA* Conference Europe 201 0 
has the solutions. Over three days, get the practical 
knowledge you need to protect and secure your 
organisation. Benefit from: 

• 70 ed u ca tion a I track sessi o n s 

• Keynotes from industry thought leaders 
and guest speakers 

• Interactive programmes 

• Demonstrations from leading vendors 

• Time to meet and collaborate with peers 

Register online now at: 

www.rsaconference.com/201 0/hn 



Dates: 1 2th - 1 4th October 
Venue: Hilton London 
Metro pole Hotel, UK 



Register Early and Save! 



■ 



17th July 
£850+ VAT 



mber: 



Standard Registration 
1 1 th September - Event: 
£975+ VAT 



iOlo RSA Setulty UX. All rights reserved. RSA, the RSA. logo and RSA Conferences ere either registered Trademarks or trademarks or RSA Security LLC. In the United States anct'or other 
countries. All other products and services mentfcned are trademarks of their respective companies. RSA Security UK Limited. Incorporated on June 6. 1996. Company Number: 32QS7I6& 
Recjstered omce I Carnege Road, Newbury, Berkshire, RGUSDJ, England 



Cybercrime may be on the rise, but authentication 
evolves to defeat it 

by Steve Di 




Cybercrime is a fact of modern life, and its continued rise in prominence has 
caused the media, various politicians, and even the general population to 
start to take notice. It's all but certain that the next major war will include a 
cyberwarfare component, and the U.S. government is rushing to do what it 
can to build competency in computer-related defense. 



We've already begun to see the first echoes of 
this sort of activity, in cases like the Aurora ex- 
ploit that targeted Google and others in early 
2010. Closer to home, cybercrime is starting 
to make a significant impact on the bottom 
lines of businesses, especially in the financial 
sector, but often elsewhere as well. 

Part of what has been driving the continued 
increase in cybercrime rates has been the 
relatively rapid adoption of technology by or- 
ganized crime rings over the past five years. 
Cybercrime is no longer the provenance of 
teenagers in their parents' basements - it is 
now a business with a legitimate model, 
funded by wealthy and motivated organiza- 
tions, with access to some of the world's top 
computing talent. 

Cybercrime can be roughly divided into two 
categories: targeted attacks and bulk attacks. 
Targeted cybercrime is nothing new, although 



like bulk cybercrime, it has increased in recent 
years. Targeted cybercrime involves a criminal 
targeting a particular individual or business, 
often using some specific knowledge about 
the situation. Recent insider attacks fall under 
this heading. 

Even more concerning, though, is the explo- 
sion of bulk crime. Using tools such as the 
Zeus malware program, criminals are able to 
mount an attack on a huge number of targets 
at once, which are generally not known to the 
attackers in advance. Zeus is still active over 
three years after its initial identification, and as 
of July 2010, it is estimated to control over 3.6 
million computers in the U.S. alone. 

Bulk attacks have become so problematic 
that, in late 2009, the FBI, together with the 
American Banking Association, released guid- 
ance to all users of business online banking 
that recommended that they use a dedicated 
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computer for online banking, and for nothing 
else, in an effort to limit the possibility of be- 
coming infected by one of these pieces of 
malware. While this advice could potentially 
put a dent in infection rates, it is more striking 
for its tacit admission of the size of the prob- 
lem and the lack of a quick, effective solution. 

Software vulnerability defense mechanisms 
have included a variety of approaches over 
the years, including firewalls, IDS systems, 
and anti-malware software. These defenses 
have indeed been effective at mitigating the 
exploitation of software vulnerabilities over 
time, but as these defenses improve, attack- 
ers simply pick another angle. Increasingly, 
that new angle is attacking user authentica- 
tion. 

Multi-factor authentication 

As it has become more and more difficult to 
exploit software flaws, attackers have naturally 
looked for an easier target: authentication sys- 
tems. These attacks go back several years, 
starting with early keystroke loggers that cap- 
tured passwords, and moving on to email- 
based phishing attacks that netted attackers 
thousands of credentials at a time. Authentica- 
tion attacks have continued to increase in so- 
phistication over the years, and are now a ba- 
sic part of many of the most serious bulk 
attacks being reported today. 

When authentication is the problem, a natural 
reaction is to deploy strong authentication so- 
lutions, and such systems have indeed seen 
wide deployment over the past several years. 

The exact definition of strong authentication 
varies from situation to situation, however. In 
some sectors, strong authentication can mean 
simply asking for answers to security ques- 
tions (e.g., "what is your favorite color?"). In 
other contexts, it can involve other factors, 
such as biometrics, location, time of day, and 
more. 

A subset of these strong authentication tech- 
nologies are "multi-factor" technologies, which 
require the user to present more than one 
authentication factor from a specific list of 
possibilities, including "something you know" 
(passwords, pin numbers, and such), "some- 
thing you have" (including phones, smart 



cards, security and tokens), or "something you 
are" (biometric authenticators, like retinal 
scans, voice prints, fingerprints, and so on). 
Multi-factor solutions are either two-factor or 
three-factor, and these factors must be of dif- 
ferent kind to qualify - you can't use two 
things from the "something you know" 
category, such as a password and a pin. 

There are systems that are referred to as 
multi-factor authentication systems, but do not 
meet this definition. These systems may make 
use of web browser characteristics, IP geo- 
location, usage patterns, time of day, and so 
on - all of which is useful information for 
authenticating users, but it doesn't enjoy the 
same near-universal approval of the security 
community that the three traditional categories 
do. 

Out-of-band authentication 

Recently, an additional distinction among the 
various multi-factor systems has emerged: in- 
band versus out-of-band. In-band systems col- 
lect both (or all three) factors via a single logi- 
cal channel, and out-of-band systems use at 
least two different channels to collect the fac- 
tors. A common example of an in-band system 
is token-based authentication - users transmit 
the something they know (their memorized 
PIN number), together with the something 
they have (evidence of possession of the to- 
ken, in the form of a temporary token code), 
over the same channel, the Internet. 

The weakness of the in-band system lies in 
the fact that a single piece of malware, on a 
single system, can attack both factors simul- 
taneously. In the token example, all that would 
be required to attack the system would be a 
piece of malware that captures the input data 
(the PIN + token code) and transmits it to an 
attacker via some mechanism such as IM. 
When the attacker receives the information, 
he simply uses it to log in, and the server can't 
tell the difference between that attack and a 
legitimate login from that location. 

A solution to this problem is to use out-of-band 
authentication, where the factors are collected 
via different logical channels. Phone-based 
authentication is the most common and widely 
used out-of-band authentication method. 
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It works by collecting the something you know 
via the Internet and verifying the something 
you have (possession of the telephone) via 
the phone network. In this way it's impossible 
for a single piece of malware to attack both 
factors simultaneously. 

Transaction verification 

Authentication of logins is critical, but in the 
face of the newest, most sophisticated at- 
tacks, it can be insufficient. Again, once one 
attack becomes too difficult to mount, crimi- 
nals simply look for the next-easiest approach. 
When it becomes too difficult to attack the 
authentication step, attackers will simply by- 
pass it with malware. These attacks aren't 
theoretical, either; there have been several 
reported cases, relating to malware like Zeus 
and Clampi, of post-authentication attacks. 

One attack works like this: the user's com- 
puter is infected with a malware program, 
which patiently waits for the user to log into an 
online banking site. It can't bypass authentica- 
tion due to the presence of strong authentica- 
tion technology, but it doesn't need to - it sim- 
ply waits for the user to log in. Once logged in, 
the malware sends commands to the bank to 
do things like transfer money, all without show- 
ing what it's doing to the user, who may just 
be trying to check a balance or enter an online 
bill pay request. 

The bank cannot differentiate between the 
fraudulent transaction and a legitimate one, 
and unless the user is particularly vigilant at 
reconciling account statements, the transac- 
tion can easily be missed until after it has 
cleared. At that point, exactly who is responsi- 
ble for the loss is unclear, but generally, liabil- 
ity has been incurred by the bank's customer, 
not by the bank itself. (Note that this is a rap- 
idly evolving area of law; at least one lawsuit 
is pending challenging this arrangement.) 

Even more insidious attacks are possible. 
Imagine a piece of malware that simply waits 
for online banking customers to enter ACH 
transactions, and then changes only the desti- 
nation ABA and Account numbers. The cus- 
tomer's balance would still look right, and ex- 
cept for in the case of an incredibly vigilant 
(and detail-oriented) bookkeeper, this problem 
won't be noticed for weeks - until the intended 



recipient complains about the missing pay- 
ment. 

The root of the problem is, once again, an 
authentication issue. The transaction was not 
initiated by the authenticated user - it was ini- 
tiated by an unauthenticated security principle 
represented by the malware. The solution, 
then, is to re-authenticate the user at transac- 
tion time. Authenticating the transaction itself 
prevents malware from slipping in an unre- 
quested transaction. 

Considering the above example, assume that 
the online banking application was protected 
by phone-based transaction verification. Upon 
receipt of the ACH transfer request, the bank's 
servers would initiate a phone call to the user 
who (ostensibly) made the request, and would 
play back the transaction details to the user 
and ask for confirmation. The user would, of 
course, deny the transaction, and the money 
would never leave the bank account. 

Transaction verification can ask for more than 
a simple authentication of the user, however. 
Even the account number switch described 
above can be detected by asking the user to 
re-enter part of the destination account num- 
ber during the confirmation call. This is an 
easy request to comply with, since generally 
the user has the destination account number 
in front of him or her at the time the call is 
made, and it's an effective prevention of an 
account number switch attack. 

In fact, these are both special cases of trans- 
action data signing (TDS). By requesting that 
the user re-authenticate, or sign, each piece of 
the transaction, the bank can have a high de- 
gree of confidence in the authenticity of the 
request. A full TDS request might include the 
date, source and destination account num- 
bers, and transaction amount, together with an 
authentication code. Banks can generally 
reach the desired level of authentication secu- 
rity using only a subset of this information. 

Transaction verification goes beyond online 
banking, of course, to any context in which 
sensitive transactions are taking place. The 
concept could apply to changing files on a file 
server, or even to accessing specific web 
pages for reading data. 
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Common web single sign-on and authentica- 
tion solutions customarily separate documents 
by required authentication level, and at least 
two common systems, IBM Tivoli Access 
Manager and Computer Associates 
SiteMinder, support step-up authentication us- 
ing phone-based authentication. Defining the 
appropriate level of access granularity in an 
application can be difficult. Security adminis- 
trators have to balance the desire for authenti- 
cation security against users' desire not to be 
excessively bothered by re-authentication re- 
quests during the normal course of business. 

Various additional tools can be brought to bear 
to make the common usage scenarios con- 
venient for the user while still maintaining an 
appropriate level of security, including IP- 
based whitelists for authentications coming 
from trusted corporate computers, or transac- 
tion authentication caching, including not re- 
authenticating successive similar transactions. 
For example, it may make sense not to re- 
authenticate an ACH transfer to a given desti- 
nation account after the first authentication 
succeeds. 

Transaction verification can be implemented in 
a number of ways. We have described phone 
authentication as one possibility; another is 
SMS-based authentication, where the details 
of the transaction are sent via SMS text mes- 
sage to a user's mobile phone. The user then 
replies to the SMS message out-of-band to 
confirm the transaction. In addition, there are 
various smart card-based solutions that do full 
transaction data signing, although they haven't 
seen wide deployment to date due to cost and 
logistical considerations. 

These systems generally involve the use of a 
smart card together with a special-purpose 
smart card reader with a numeric keypad that 
can be used to enter and sign transaction 
details. 



There are a variety of challenges involved in 
transaction verification. Most applications 
(outside of certain government situations) lack 
the concept of transaction or event confirma- 
tion. These applications simply don't have a 
mechanism for requesting authentication at 
arbitrary points within the workflow. Applica- 
tions such as these will either require source 
code modifications or a proxy solution. 
Beyond the basic capability, setting up a sys- 
tem for transaction confirmation can be tricky, 
because of the potentially complex rule set 
dictating when additional authentication is 
necessary and the tension between ease of 
use and authentication security. Centralized 
access management systems can be of help 
in heterogeneous web environments, but se- 
curity administrators are largely left on their 
own when dealing with individual line-of- 
business applications. 

Going forward 

The world has changed. Cybercriminals are 
making an excellent living attacking authenti- 
cation systems, and security administrators 
have the difficult task of defending the users 
against these attacks. So, where do we go 
from here? Companies should include a com- 
prehensive authentication security analysis in 
the planning stage of every significant new 
application that the organization deploys. Try 
to focus on applications that have support for 
granular, event-based authentication, or con- 
sider proxy-based solutions. Look to out-of- 
band authentication methods to protect 
against in-line threats. 

Finally, start analyzing existing applications for 
potential weaknesses in the authentication ar- 
chitecture. Transactions that are particularly 
high-risk should be protected by transaction 
verification; press vendors for transaction 
verification support or add it yourself. 



Steve Dispensa is CTO & co-Founder of PhoneFactor (www.phonefactor.com). His many accomplishments 
include designing one of the world's first broadband wireless Internet networks for Sprint, as well as being a 
five time winner of the Microsoft Most Valuable Professional award. Steve, along with PhoneFactor developer 
Marsh Ray, recently discovered the TLS/SSL Authentication Gap - a major vulnerability in SSL authentication 
making it vulnerable to man-in-the-middle attacks. 
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Here are some of the Twitter feeds we follow closely and can recommend to anyone interested in 
learning more about security as well as engaging in interesting conversations on the subject. 

If you want to suggest an account to be added to this list, send a message to ©helpnetsecurity 
on Twitter. Our favorites for this issue are: 



@hal_pomeranz 

Hal Pomeranz - Independent IT security consultant, SANS Institute faculty fellow. 

http://twitter.com/hal_pomeranz 



@wimremes 

Wim Remes - Information security manager at Ernst & Young. 

http://twitter.com/wimremes 



@ Ratal Los 

RafalLos - Security evangelist, blogger, and WebAppSec SME at HR 

http ://twitter.com/Raf al Los 



©CiscoSecurity 

Security technology, events and news. 
http://twitter.com/CiscoSecurity 
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We security folks are often blamed for treating our users (or customers, if you 
want) as less than competent. We generally expect users to consider what we 
say as information security gospel, but that doesn't happen very often. 



Many users have questions, and if we are 
lucky they may voice them. Personally I have 
found that when I take the trouble to explain 
the reason behind my decree, people are 
more likely to comply. You can file that under 
the "user education" category, if you will. 

I have a small home server that I use and 
abuse for various purposes, and tracking the 
various trends and attempts of ssh bruteforc- 
ing has always been a source of endless 
amusement. But one day, the following ques- 
tions sprung into my mind: "Could I actually 
use that information? Could I get something 
useful from it?" 

With that in mind, I set about working on start- 
ing logging the passwords. I will not go into 
the details now - suffice to say I wanted some- 



thing that was low maintenance, worked and 
did not require another server process or 
modifying the sshd code. 

I ended up using a custom pam module to log 
the source, the username and the password 
of each attempt, and I created honeypot users 
to monitor these attempts. 

Each bruteforce attempt creates a log entry 
that looks something like this: 

host = estpak.ee : username = shoutcast : 
password = shoutcast 

I let that setup run for a few months, specifi- 
cally from December 2009 to July 2010. Let's 
see if the collected data can help us answer 
some questions. 
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Question 1: No-one wants to attack us, 
do they? 

Most of us don't like to think that people are 
actively out to get us. But, let's look at the sta- 
tistics regarding the 8-month period in ques- 
tion: 

• Total Attempts: 159969 

• Unique Sources: 728 

• Monthly Average: 19996 

• Daily Average: 658 

• Unique Usernames: 16155 

• Unique Passwords: 16445. 

According to this, a large number of people 
are engaged in attacking (and yes, I realize 
that some of the attacks are coming from 



compromised machines and that their owners 
might not be aware of them being used to do 
this, but regardless of intent, the attacks are 
still happening). In fact, every day attacks 
from roughly 3 new sources were detected. 
Add this information to the number of total at- 
tempts, and you can see that everyone on the 
Internet is a target for someone else. 

Question 2: Why do I have to select a good 
password? 

What makes a good password is a topic on 
which a lot can be said, but I do not want to 
address it in this article. I simply wanted to 
show which passwords bruteforcers attempt to 
use most commonly. Here is a top 10 list: 



PASSWORD 


NUMBER OF ATTEMPTS 


123456 


2103 


password 


1267 


test 


869 


1234 


814 


root 


753 


oracle 


736 


qwerty 


707 


12345 


622 


abc123 


615 


redhat 


600 



This list is perfect for learning which pass- 
words to avoid using. 

Let's see some more statistics: 



Going by these numbers, the simple act of us- 
ing special characters in the password ne- 
gates 93% of all attacks - it's something to 
think about. 



• Passwords consisting of 1 0 or more charac- 
ters: 15949 (17% of total) 

• Passwords consisting of 6 or less charac- 
ters: 44552 (48% of total) 

• Passwords consisting of 3 or less charac- 
ters: 4815 (5% of total) 

• Passwords containing special characters: 
7055 (7% of total) 

• Passwords containing only numeric charac- 
ters: 10830 (11% of total) 

• Passwords containing only alpha characters: 
41349 (44% of total). 



A figure on the following pages takes a closer 
look at one of the most common passwords I 
found, and at all the ways it was used. 

This figure shows us that even though the 
word "password" was used 1 267 times, varia- 
tions of that word were used 3691 times - al- 
most 3 times more. And if you look at some of 
the permutations, you will notice that special 
characters were used. So, even if using spe- 
cial characters negates 93% of the attacks, it 
does not mean you can afford to pick a 
common/popular password. 
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1 P455W0RD 


1 


P@SSW0RD 


16 


p4 5 Sword 


19 


P@SSword 


42 


paSSword 


1 p4sSwOrd 


1 


P@SSWORD 


16 


p455wOrd 


20 


P455w0rd 


56 


Password 


1 p4SswOrd 


1 
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16 


P455word 


20 


PasswOrd 


61 


p4ssw0rd 
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1 
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P@SSWQRD 


16 


P455wOrd 


22 


P4ssw0rd 


86 


p@s sword 
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1 P4S SWORD 


2 
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16 
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PaSSwOrd 
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P4S SWORD 
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paSSword 


24 
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337 


paSSwOrd 


1 p4S Sword 


2 


PASSWORD 


17 


p@55wOrd 


29 


P@56w0rd 


457 


p@ssw0rd 


A I - 1 J iT- iT- 1 

1 P4$ Sword 


3 


PaSSword 


17 


P@5bwOrd 


32 


p@SSw0rd 


482 


passwOrd 


1 P4SSW0RD 


5 


PaSSword 


18 


p@ 5 Sword 


33 


P@ssword 


1255 


password 
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7 
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18 
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18 
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1 PASSWORD 
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18 
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Total 


3691 











Let's take a look at the top 20 used passwords containing special characters: 



PASSWORD 


NUMBER OF ATTEMPTS 


p@sswOrd 


4o/ 


!@#$% A 


128 


Sh3l5Lik3P4rtY@v3r 


111 


P@sswOrd 


102 


p@ssword 


86 


!@#$ 


76 


!@#$% A &* 


67 


67 !@#$% 


67 


!@#$% A &*() 


64 


!@# 


62 


!@#$% A & 


61 


QAZwsx!@# 


44 


zh3l5Lik3P4rtY@v3r 


42 


p@55w0rd 


42 


!@#$% A &*( 


42 


QQAAZZwwssxx!!@@## 


39 


qaz123$ 


36 


QAZ!@#123 


34 


P@55word 


34 


P@ssword 


33 



What does this list show us? We can see that 
not only words and word variations are used, 
but that a large number of keystroke se- 
quences are used, as well. 

The conclusions drawn from the collected 
data confirm the advice we give users about 
the need of choosing good passwords. 

Question 3: Won't they go away after a few 
tries? 



This question is generally asked by people 
who are unable to ignore the evidence that 
points to the fact that they are being attacked, 
but are also unable to believe that it is as bad 
as all that. 

Let's see what the data tells us, shall we? 

The table on the following page showcases 
the top 15 sources and the number of attacks 
they mounted (per month): 
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From this we can see that a large number of 
attackers seem to be active only for a month 
or two. But 5455 attempts in a single month 
from sms.bravo.com are nothing to sneeze at, 
even if the attacker gave up trying after that. 



We can also see that some attackers are 
rather persistent - the attacker behind 
222.68.194.69 shows up every month. 

Let's see which behavior is more dangerous: 



SOURCE 


Total unique usernames 


Total unique passwords 


smsbravo.com 


651 


2975 


222.68.194.69 


26 


388 



While smsbravo.com attacked only for a 
month, this activity presented more danger to 
us then the one in which 222.68.194.69 en- 
gaged, since it comprised of a larger number 
of unique attempts. This collected data shows 
that many attackers "go away" after a certain 
period but, more importantly, that these at- 
tackers can be just as dangerous as - and of- 
ten more than - those attackers who persist 
for months. 

Conclusion 

I understand that this dataset is a fairly 'nar- 
row' collection, since it is focused on ssh bru- 
teforcers, and was not taken from multiple 



servers in a large corporate address space. I 
know that there are many pieces of advice for 
preventing just these types of attacks, and 
yes, I purposely ignored all of them. And I 
know that answering these types of questions 
may seem like a waste of time to most of us, 
and I can imagine security people saying: "Of 
course the data will confirm what we say". 

Nonetheless, I believe this type of analysis is 
useful to show people why we say and rec- 
ommend the things we do - shows them that 
there is hard data behind the advice. When 
we can back up our advice with facts, we help 
ourselves and the people we advise by help- 
ing them make informed choices. 



Erich Samuel is a Senior Information Security Consultant at a large global insurance company. 
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PCI DSS v1 .3: Vital to the emerging 
demand for visualization and 
cloud security 

by Todd Ignasiak 




If you're part of the quintessential IT personnel most firms have, you've al- 
ready had some exposure to virtualization technology In all likelihood, por- 
tions of - if not your entire testing and development environment - run on a 
virtualization platform from VMware, Microsoft or Citrix. 



The savings in capital and operating expenses 
are so compelling that now you've been asked 
to expand virtualization's use to the rest of 
your data center, demilitarized zone and dis- 
aster recovery site - basically any other part 
of the physical network where migration of 
physical servers to virtual machines (VMs) will 
trim down the costs to power, cool, house and 
administer them. In fact, the likelihood that 
you have already embarked on such an effort 
is pretty high. 

In a Gartner webinar, analyst Thomas Bittman 
said that "by 2013, the majority of workloads 
running on x86 architecture servers in enter- 
prises will be running in virtual machines." 

This statistic implies that virtualization is 
quickly subsuming critical workloads, with 



valuable, sensitive and compliance relevant 
data and applications making their way onto 
VMs. The challenge presented stems from the 
fact that virtualization combines workloads of 
different trust levels (i.e. HR file server, CRM 
database, email server, etc.,) onto one physi- 
cal server, and how can an organization re- 
main compliant with requirements for the seg- 
regation of duties, zones of trust and least 
privilege access? 

Furthermore, as virtualization adoption within 
organizations broadens to include dispersed 
data centers, so too does the use of live mi- 
gration and automation - features which make 
it easy for VMs to be created and optimally 
operated but make it hard to continuously 
monitor and secure them. 



www.insecuremag.com 



28 



Enter the PCI Security Council 

The Payment Card Industry's (PCI) Data Se- 
curity Standard (DSS) provides guidance on 
how to best protect payment cardholder in- 
formation and transactions. While it does not 
mandate particular products, it does offer de- 
tailed information on how certain technologies 
may be used in this effort. For this reason it 
has long been lauded as the easiest to com- 
prehend and implement of the regulations that 
constitute the compliance arena (e.g. SOX, 
HIPAA, Graham Leach Bliley, FISMA, and 
FERC). Unfortunately, the current version of 
PCI DSS, v1 .2, does not address how to 
achieve its stated goals and protections within 
virtualized environments. This has created a 
lot of speculation and concern among organi- 
zations, especially when virtualizing their criti- 
cal workloads where they are sacrificing a 
compliant PCI audit result. 

While concerns about virtualization's risks 
within the context of PCI compliance abound, 
at the heart of the issue is Section 2.2.1 , 
which states organizations should "implement 
only one primary function per server." This can 
be interpreted in a number of ways: 

• If "server" indicates a hardware device, then 
all virtualized environments running VMs of 
different types (e.g. Web servers, databases) 
as guests on a single hardware host will be in 
violation of this requirement. 

• If server denotes VM, then environments - 
which have the technical means to limit appli- 
cations on a PER VM basis - will comply. 

Therefore, the interpretation of requirement 
2.2.1 for the virtualized environment becomes 
extremely important both for virtualization's 
adopters who are looking to maintain their PCI 
compliance and for qualified security asses- 
sors (QSAs) and auditors. 

PCI DSS mission: To provide guidance for 
visualization 

In order to provide much-needed guidance, 
PCI formed a virtualization special interest 
group (SIG), which examined some of the is- 
sues and challenges posed to PCI compliance 
in virtualized environments. The group, which 
began meeting in the fall of 2008, brought to- 



gether security vendors, practitioners, banks, 
merchants, auditors and QSAs, who have 
been meeting on a regular basis over the 
course of a year and a half in order to draft a 
recommendation for how the PCI DSS might 
be enhanced to include virtualization 
technology. 

The SIG's work was leveraged by a PCI tech- 
nical working group, which among other ef- 
forts has been drafting a mapping "tool" that 
will define the PCI DSS requirements in the 
context of the virtualized environment. The 
tool and other guidance which is slated for re- 
lease in October of 2010 as part of PCI DSS 
v1 .3 is extremely timely and absolutely vital to 
securing what is slated to become the de facto 
data center architecture. There are a number 
of reasons why the PCI technical working 
group's efforts are critical: 

1 . Some firms have gone forward with virtuali- 
zation and as a result risk failing a subsequent 
audit. Firms are incurring the risk to their net- 
works and they will be joined by many more 
as virtualization adoption explodes. 

2. Auditors and QSAs have no training or ex- 
perience in securing virtualized environments 
so there is no consistency to the audit 
process. 

3. Cloud computing and cloud services adop- 
tion is soaring. And validating this trend are 
large scale virtualized data centers, that are 
likely the providers of Infrastructure as a Serv- 
ice (laaS) to the small businesses and mer- 
chants who must maintain PCI compliance in 
order to be able to accept credit cards for 
payment. 

Checklist: What can you do today? 

Consider, for example, that you have virtual- 
ized a portion or your entire data center, or 
that a virtualization strategy is in process. 

Ask yourself the following question: What can 
you do today to ensure that you pass your PCI 
audit? The following five best practices are 
key protection elements for any network. They 
form the basis for PCI compliance within 
physical networks, as well as for the 
virtualized network. 
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The five key tenets to PCI-compliant virtual- 
ized environments are: 

1 . Isolate/segment workloads or servers or 
virtual machines. 

2. Isolate/segment networks or groups of 
servers or groups of virtual machines. 

3. Protect server or virtual machine contents. 

4. Log and audit all events including adminis- 
trator activity. 

5. Continuously monitor security against 
changes. 

The following briefly describe each tenet and 
offer guidance on how they can be accom- 
plished in the virtualized environment: 

Tenet 1 : Isolate/segment workloads or 
servers or virtual machines 

Protecting cardholder data implies that if a 
server containing the data is compromised, 
that the risk is limited to that server alone, and 
not others who are logically or physically 
connected to it. 

In order to ensure this protection, requirement 
number one of the PCI DSS is to "install and 
maintain a firewall configuration." In the physi- 
cal world, this type of protection is provided by 
network firewalls. Rules are defined and en- 
forced to limit traffic in and out of servers that 
contain cardholder data, sent to only known 
traffic sources and expected protocols. If for 
some reason the server becomes infected 
with a virus that attempts to spread itself, the 
unauthorized connection attempt will be 
blocked. 

The same type of protection and isolation is 
possible with hypervisor-based firewall tech- 
nology. Policies limit access to the virtual ma- 
chine by application, protocol and port, ensur- 
ing that only authorized traffic sources can 
gain access. The underlying firewall technol- 
ogy is the same that is used to protect card- 
holder data in physical networks, but it has 
been optimized for performance and security 
in the virtualized environment. Employing a 
virtual firewall allows organizations to comply 
with PCI DSS requirement 2.2.1 - which calls 
for "one function per server" - without requir- 
ing that separate VM hosts be purchased for 
each in-scope VM or VM group. 



Tenet 2: Isolate/segment networks or 
groups of servers or virtual machines 

In addition to isolating individual VMs and en- 
suring warranted access, the same process 
must be applied to groups of virtual machines. 
This becomes particularly apt in the cloud 
hosting environment where the cardholder 
data bearing VMs of customer A must be 
segmented from those of customer B. Isola- 
tion of groups between virtual machines can 
be accomplished in a number of ways. One 
may choose to confine certain VMs to a given 
physical host. However, this can get expen- 
sive in larger deployments. Another common 
way is through VLAN segmentation where vir- 
tual switch and port assignments are main- 
tained for certain groups of VMs. 

This method is popular but becomes quite 
cumbersome to manage at scale where new 
VMs are created or introduced frequently. The 
challenge with the latter method is that errors 
and misconfiguration (i.e. a VM assigned to 
the wrong VLAN) are quite common. For best 
results, virtualization security experts should 
combine VLAN segmentation with virtual fire- 
wall technology. The former can enforce VM 
to VLAN assignment automatically so that that 
the risk to cardholder data posed by VLAN 
mis-assignment is virtually eliminated. 

Tenet 3: Protect server or virtual machine 
contents 

Just as in the physical world, cardholder data 
on VMs must be protected from prying eyes 
and possible theft. CSOs and security admin- 
istrators need to take the necessary measures 
to protect the physical media carrying the VMs 
as well as securing the data at rest on the 
VMs. Encryption, which is put forth explicitly in 
PCI DSS requirement number two, is essen- 
tial for this purpose as is multi-factor user 
authentication. The former should be applied 
at all layers, disk and data and to all instances 
of the VM, including backups. Also, strong 
authentication will ensure that only those ad- 
ministrators with the highest and appropriate 
privilege will be able to access cardholder 
data. Most virtualization platforms broadly 
support available encryption and authentica- 
tion technologies, although verification of 
software version compatibility is strongly 
advised. 
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Tenet 4: Log and audit all events 

PCI DSS requirement 10 sets forth that "all 
access to network resources and cardholder 
data be tracked and monitored". This must be 
conducted for all types of access including 
that of administrators. The types of events that 
should be logged in and for which there 
should be a readily available audit trail in- 
clude: successful and failed login attempts, 
user and group access privilege changes, VM 
network assignments and changes. 

Administrator login attempts and user privilege 
assignments can be readily tracked with tools 
available from the virtualization platform pro- 
viders and the utilities of their management 
systems. VM lifecycle and network assign- 
ments can also be easily tracked in this way. 

In order to create a complete picture of access 
activity, virtualization administrators will also 
want to implement "in-line" technologies like 
virtual firewalls which monitor and selectively 
log all traffic flows, access types, security rule 
matches. These devices will also monitor hy- 
pervisor access attempt activity. Use of virtual 
firewalls with integrated IDS will also provide 
an audit trail of authorized access inspecting 
all packets bound for in-scope servers for the 
presence of malware. 

A complete audit trail of this sort can aid in 
troubleshooting as well as virtual network op- 
timization in addition to providing data for fo- 
rensic analysis and security policy refinement. 

Tenet 5: Continuously monitor and manage 
against change 

PCI DSS requirement six calls for "change 
control". In the physical world this is accom- 
plished through products for patch manage- 
ment. 

However, controlling the configuration of a VM 
is much more difficult. Since VMs can be cre- 
ated, cloned and otherwise configured with a 



mouse click it is very difficult for administrators 
to keep in-scope servers in compliance with 
the ideal or desired configuration. To accom- 
plish this, virtual network administrators 
should consider deploying a combination of 
technologies, including VM introspection, 
automated compliance assessment and 
configuration management. 

The former two allow for the automated detec- 
tion and alerting of changes to virtual ma- 
chines, including the networking settings as 
well as the installed applications and services. 
An automated assessment process can alert 
VM administrators when there are deviations 
or VM state changes that negatively impact 
the risk profile. 

There are several commercially available so- 
lutions that leverage VM introspection for this 
purpose. Configuration management allows 
for rollbacks and updates to be conducted so 
that after detection, remediation of the VM 
state can be carried out quickly. There are 
many solutions available for configuration 
management and remediation for virtualized 
servers. 

Conclusion 

Not only is PCI compliance within the virtual- 
ized environment possible, but it may actually 
be easier and more cost-effective to achieve 
than it is in the physical network. While PCI 
DSS v1 .3 will bring forth much-needed expla- 
nations of the requirements for the virtualized 
environment, the end goal of protecting card- 
holder data is the same, and the onus still falls 
to the end-user (i.e. businesses, organiza- 
tions, security practitioners) to decide how to 
best achieve this goal. 

The key to making the best possible choices 
is in knowing that virtualization has given rise 
to a host of purpose-built technologies that 
ensure security and compliance in an auto- 
mated and dynamic fashion akin to the 
management of the virtual network itself. 



Todd Ignasiak is the Director of Product Management at Altor Networks (www.altornetworks.com). He is re- 
sponsible for product management and building the next generation of security to address the virtual data cen- 
ter. Ignasiak has been in the network security field for 15 years. Previously he created network security solu- 
tions for vendors including Check Point Software and secured large enterprise networks at Ford Motor Com- 
pany. He is a member of the PCI DSS technical working group. 
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The IT security landscape has changed dramatically over the last few years. 
Low entry barriers and high rewards have induced many criminal organiza- 
tions to try their hand at cyber crime. Large-scale attacks such as those per- 
petrated against Google and 30 other U.S. companies in early 2010 are a proof 
that the security battle is still very far from being won. 



In addition to that, an ever-increasing number 
of regulations see to it that enterprises now 
take more responsibility for their digital actions 
than ever before. Compliance is a key driver in 
many security sectors. And though most com- 
panies try to protect their information and 
computer systems in good faith, many have 
failed to commit the resources and expertise 
necessary during all phases of system 
development and implementation. 

Security management is key 

Overall security policy and management is of- 
ten at the root of security problems. Recent 
years have seen the promotion of international 
standards for IT security management such as 
ISO27001 , but mainstream adoption has not 
been widespread. 

It is of vital importance to make security a 
prominent consideration before, during and 



after any IT system implementation or up- 
grade, and every organization should have a 
comprehensive plan in place for addressing 
security issues during every phase of an IT 
project: conceptualization, design, develop- 
ment, test, rollout and maintenance. 

Many of today's organizations do not have 
enough resources to invest into strategic se- 
curity planning and management, so they 
simply implement or maintain a system that 
works. This is often due to lack of money, but 
can also be a case of lack of education. It is 
clear that there is an inconsistent approach to 
how software and system security is ad- 
dressed and managed, and this continues to 
fuel the numbers of IT security incidents 
making headlines. 

The current cloud trend will likely affect this 
pattern. By outsourcing ICT requirements into 
the cloud, users are effectively transferring 
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the liability for their security risk via contract to 
the provider. This does not make the security 
issues go away merely transfers the owner- 
ship of the problem. 

Although, it is conceivable that the use of the 
cloud will take some organizations' security 
posture to a higher level than the one they are 
currently unable to achieve. Media pressure 
will also make consumers demand that secu- 
rity is addressed when adopting the cloud. 
Prospective adopters of cloud services should 



also take great care when investigating secu- 
rity guarantees and claims made by service 
providers. 

However, even with the emergence of the 
cloud, it should be noted that the types of se- 
curity threats facing ICT remain similar and 
that the control measures needed to address 
such threats have not changed significantly. A 
common requirement - regardless of the tech- 
nology delivery mechanism - is security 
testing. 



SECURITY TESTING IS A POPULAR, 
BUT OFTEN MISUNDERSTOOD CONCEPT 



Security testing, trial and error? 

Security testing is a popular, but often 
misunderstood concept. 

At its most basic level, security testing is 
aimed at identifying security vulnerabilities and 
weaknesses in software and systems, in order 
to fix them before they can get exploited. Well- 
publicized examples include SQL injection and 
buffer overflow flaws. It's important to recog- 
nize that security vulnerabilities are not nec- 
essarily the product of poorly designed or 
coded systems. Many security vulnerabilities 
are the result of configuration errors in hard- 
ware and software, caused by human error 
during implementation or upgrade. 

A good security testing strategy is an essential 
element of any security risk management 
plan, especially for mitigating minor human 
errors that can snowball into serious breaches 
if not identified early on. A strategy for testing 
and verifying all aspects of hardware and 
software integration is a 'must have' for any 
system implementation or software develop- 
ment project. It is also essential that such 
strategies broadly approach the matter of se- 
curity, rather than focusing on specific 'high 
risk 1 areas such as authentication and access 
management. This ensures the identification 
of unexpected problems, as well as of those 
anticipated. 



A common, cost efficient approach has been 
to develop and implement business systems 
first, and then follow up with a short black box 
penetration test to see if the system can be 
penetrated. However, this leaves systems 
wide open to attack because other areas are 
neglected. 

This problem can be solved by raising aware- 
ness of the fact that there are other security 
tests out there, and that a more consolidated, 
comprehensive approach to security testing 
across all the components of today's business 
systems is needed. 

It simply makes sense to start testing as early 
as possible in order to avoid potentially critical 
vulnerabilities sneaking into mission critical 
systems. Advances in technology make it so 
much easier for security testing to be inte- 
grated alongside traditional testing programs - 
automated tools for source code analysis and 
simulation of web-based application-level at- 
tacks enable the discovery of security issues 
before the production phase. However, auto- 
mated tools have their downsides (e.g. false 
positives) and should always be comple- 
mented with manual testing. 

HP's and IBM's drive to acquire security test- 
ing technology should be seen as a proof of 
the increased importance and awareness of 
the need for broader security testing efforts. 



www.insecuremag.com 



35 



With that in mind, IBM has acquired Watchfire 
and Ounce Labs in 2007 and 2009, respec- 
tively. 

"Secure applications are vital to information 
integrity and continuity in government and 
business," commented Daniel Sabbah, gen- 
eral manager of IBM Rational software. 
Given that many security weaknesses are the 
result of errors or misconfigurations, it is also 
essential that security testing covers the con- 



figuration testing of key components of IT sys- 
tems, from network devices to databases and 
applications. 

It's also vital that testing does not just stop 
once a system has gone live. A continuous 
security testing process is required, and it 
must involve the full range of test activities, 
from automated vulnerability assessments to 
manual penetration and configuration 
checking techniques. 



OFTEN LAID AT THE DOOR OF THE IT 
DEPARTMENT, SECURITY RESPONSIBILITY 
HAS NOW MOVED OUT OF THE BASEMENT 
AND INTO THE BOARDROOM 



QA for peace of mind 

Historically, an often casual approach to secu- 
rity testing has been used when compared to 
testing of other non-functional software and 
systems. This can be partly attributed to con- 
fusion over the ultimate responsibility for secu- 
rity functions within an enterprise. Often laid at 
the door of the IT department, security re- 
sponsibility has now moved out of the base- 
ment and into the boardroom, with an increas- 
ingly strong drive from compliance obligations. 

As stated, the broadening of the cloud serv- 
ices marketplace will drive a transfer of own- 
ership, which will make companies adopt a 
wider focus on security in general. It is also 
possible that cloud users will seek some form 
of security certification (e.g. Kitemark) that 
demonstrates that the service provider is 
committed to security. 

The days of conducting penetration-style test- 
ing and running some open source vulnerabil- 
ity analysis tools on an ad hoc basis are long 
gone, and the need for stakeholders to col- 



laborate and share responsibility for an effec- 
tive security testing strategy has never been 
higher. 

Regardless of the ICT solution or delivery 
model, security is synonymous with quality 
software, and companies that strive for stabil- 
ity and scalability in their ICT solutions must 
put equal emphasis on security. 

The security risk profile of software and sys- 
tems has changed, and although a moving 
target, it still needs to be addressed in a lay- 
ered fashion. A formalized approach is there- 
fore required, involving collaboration across 
organizations and enterprises, and definitely 
including a rigorous testing procedure. 

Security testing fits firmly into the discipline of 
software quality governance and is included in 
an overall security policy stance that most en- 
terprises should aspire towards. Without plac- 
ing due importance onto security testing of 
both new and existing systems, businesses 
are liable to increase their exposure to 
unstructured risk. 



Rob McConnell is a Market Director within SQS Group (www.sqs-group.com), having spent the past 1 5 years 
specializing in the field of information and systems security management. Rob holds industry recognized secu- 
rity professional qualifications including CISSP, CESG Listed Advisor and ISO27001 Lead Auditor. 
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Oops! Backup (www. net-security.org/software. php?id=783) 

OopslBackup is an extremely easy to use CDP (Continuous Data Protection) backup for Windows 
7, Vista & XP (64 and 32 bit). It's fully automatic and can go back in time to restore different ver- 
sions of backed up files. 

TCPView (www.net-security.org/software.php?id=31 9) 

TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints 
on your system, including the local and remote addresses and state of TCP connections. 

The Sleuth Kit (www.net-security.org/software. php?id=21 5) 

The Sleuth Kit is a collection of UNIX-based command line file system forensic tools that allow an 
investigator to examine NTFS, FAT, FFS, EXT2FS, and EXT3FS file systems of a suspect com- 
puter in a non-intrusive fashion. 

BestCrypt (www.net-security.org/software. php?id=1 73) 

BestCrypt data encryption systems bring military strength encryption to the ordinary computer 
user without the complexities normally associated with strong data encryption. 

Bulletproof Public PC (www.net-security.org/software.php?id=753) 

Bulletproof Public PC will let you turn your PC into an Internet kiosk/public access workstation. It 
can be setup to completely disable access to files installed on your PC while giving full access to 
all necessary applications you specify. 
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A brief history of security 

by Winn Schwartau 



nterpnse 






IT architecture is a never-ending exercise in migration - a centric vs. non- 
centric flux that can never seem to make up its mind. And for decades, secu- 
rity - most assuredly the bastard step-child of IT - has been left to flounder 
and wildly twist in the wind, at first forgotten or ignored, but nonetheless 
tasked to clean up the mess that the IT folks have rendered. 



The modern enterprise is now facing un- 
precedented threats and risks to its dynamic 
mobile infrastructure. This is that story. 

Some of you might remember the 1950s. 
Doris Day and Cary Grant in a Big Blue com- 
puter room, paper-spewing and chaos ensu- 
ing. Not much security as massive 5MB disk 
drives, tape cabinets and consoles that ate 
punch cards by the pound, sequentially proc- 
essing batch after batch of programs with no 
emulators to test them ahead of time. 

Computer security was dogs, fences and 
teenage soldiers carrying M-16s to keep po- 
tential intruders from entering hyper-paranoid 
facilities such as nuclear weapons testing labs 



and the government's real version of the 
WOPR from War Games. 

In the 1970s the United States Department of 
Defense labeled Cold War threats as para- 
mount to national security. The 193 Bell-La 
Padula security model set the foundation for 
decades of information security, but does not 
work well for the distributed mobile workforce 
and the enterprise. 

IBM's mainframe monopoly resulted in argua- 
bly the first software security product, RACF 
(Resource Access Control Facility) that pro- 
vided authentication, authorization (access 
control) and auditing capabilities. 
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Security was comparatively easy. Hundreds or 
thousands of users were physically hard-wired 
to the data center (pre-IP of course). Products 
like RACF identified users with simple us- 
erJDs and passwords, and the mainframe 
knew where every terminal was located. Us- 
ers and groups of users were given access 
rights to specific files and directories. All of the 
intelligence was at the central processing unit, 
located in some distant environmentally 
controlled room. 

On August 1 2, 1 981 along came the 51 50. 
You might know it better as the IBM PC. IBM's 
thinking was that this miniature 'almost a 



computer' was the perfect way to get small 
businesses addicted to IBM and would then 
grow into their larger offerings. 

But business had a different idea. Why 
shouldn't they be able to run software locally 
on the PC and connect to the mainframe? 
With programs and data now being processed 
and stored locally at the PC, the old security 
rules and architecture had changed almost 
overnight. 

Companies had to develop ways to manage 
distributed computers, and push out security 
policy and enforcement to the PC. 



With the introduction of Local Area Networks, vendors introduced 
competing and incompatible products, with negligible standards. 



With the introduction of Local Area Networks, 
vendors introduced competing and incompati- 
ble products, with negligible standards. From 
a security standpoint, the landscape changed 
again. There was no longer any need to run 
complex software at the PC. The LAN would 
manage it all, and your PC would not be 
burdened with the taxing processing. 

This fundamental architectural shift in the IT 
industry again challenged us "security folks," 
as now we had to consider how to secure the 
LAN, the servers and the data that could still 
be stored on the PC. We were treading on 
entirely new ground. 

In the rush to capitalize on Gordon Gecko's 
"Greed is Good" mantra so loved by the finan- 
cial industry, along came client-server archi- 
tecture. This architecture expanded on the 
LAN model by distributing processes and 
storage across a plethora of servers in an ef- 
fort to increase power and balance loads. The 
business units demanded the function, IT built 
a solution, but the security problems were 
immense and never adequately solved. A hy- 
brid of centralized, yet distributed security fail- 
ure points, was a catastrophe until a savior 
appeared on the scene. 

The sudden appearance of the Web triggered 
the development of yet another IT architec- 
ture. Every machine could be a client. Every 
machine could be a server. Not quite what we 
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have come to know today as P2P networking, 
but certainly an early evolutionary step. Again, 
security was, at best, a minor afterthought 
since the Web was designed to be platform- 
agnostic. 

Herein again, the mistakes of the prior gen- 
eration of IT management were repeated with 
historical ignorance and arrogance. Let's take 
this phenomenal connectivity, build piles of 
cool applications that can be run on almost 
any computer from almost any computer, and 
return the power to the user. 

Business was driving IT to build out function, 
secure web programming was a distant for- 
malization, and the consumer demand was 
and is still, insatiable. Where does security fit 
into this model? Viruses, worms, and an end- 
less supply of threats created a multi-billion 
dollar industry that is akin to the carnival game 
of Whack-a-Mole. 

Fast forward to today: Given the consumeriza- 
tion of the Internet, security is again treading 
in untested waters. Servers need to be se- 
cured, but unless the virtual drawbridges are 
in the 'down' position, commerce is shut off. 
An architectural dilemma to be sure, com- 
pounded by the fact that this security model 
assumes that the individual user knows how, 
and will actively participate in the security 
process. 



Expecting the home user, kids, parents and 
everyone else to abide by the best practices 
needed to protect themselves or their online 
activities was another exercise in hubris by 
the IT community. With the incredible growth 
of intelligent mobile devices replacing conven- 
tional computers counting in the hundreds of 
millions, history repeats itself, and we have 
valuable lessons that can be applied. 

Software grew with exponential complexity 
and complexity breeds vulnerability, which in 
turn, breeds poor security. Consumers want 



function, but they need simplicity - which was 
not delivered until recently with the iPhone 
and similar devices. 

Smart phones are the new computers. They 
are highly portable, increasingly powerful with 
a user base growing at double-digit rates. An 
estimated 2 billion of them will be deployed 
globally by 2013. Smart phones are comput- 
ers that happen to have a telephone in them; 
they are used for traditional data-oriented 
computer tasks like email, surfing, data 
storage and business applications. 



If there is a lesson has been learned in the last three decades, 
it's that security must have a balanced role with business 

requirements and IT implementation. 



Unleashing vast amounts of sophisticated 
technology to hundreds of millions of people 
who have already proven that they are either 
incapable of or unwilling to take the appropri- 
ate security steps or adapt proper behavior to 
protect their identity, is a distinct threat to the 
enterprise and global security. 

While to the user smart phones and notably 
the iPhone family are intuitively easy to use, 
the risks to the devices, their users or the 
companies that use them for business are, as 
with past technology innovations, after- 
thoughts. Security has - as always - fallen into 
the abyss of invisibility due to apathy, 
arrogance or ignorance. 

We know that smart phone applications are 
the greatest tool ever devised to deliver hos- 
tile software to a computing device, and as of 
23 June 2010, a study suggests that 20% of 
Android applications could be spyware. We 
know the iPhone has been rooted and there is 
an increasing library of hostile mobile code in 
addition to the applications. We also know that 
the bad guys are going to use and abuse any 
technology to their advantage, no matter the 
motivation. 

We are also keenly aware that companies 
would dearly love to adapt the consumer 
iPhone and other smart phones for internal 
corporate applications. The healthcare indus- 
try wants to allow nurses and doctors to have 



the needed information, anywhere and any- 
time. 

The retail industry wants to use these devices 
for virtual 'show and tell' shopping and mobile 
payment terminals. Every company wants to 
enable staff to access and utilize corporate 
resources. 

The IT architecture that smartphones utilize is 
a hybrid of communications technology and IP 
technology, and the conventional security ap- 
proaches of the past thirty years are incapable 
of addressing the mobile and smart phone 
security storm. 

If there is a lesson has been learned in the 
last three decades, it's that security must have 
a balanced role with business requirements 
and IT implementation. However, smart 
phones cannot support the multi-tasking 
needed, CPU resources and bandwidth re- 
quired, or the incessant battery drain such an 
approach would require - even if it could 
work. 

Because, at the end of the day, these con- 
sumer devices allow the user to turn off every 
security switch if they so desire. That risk is 
unacceptable to any organization that must 
adhere to governance guidelines, compliance 
regulations and afford proprietary data 
protection and privacy. 
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The mobile IT architecture is completely un- 
suited for any heretofore-existing security 
model and securing the mobile workforce re- 
quires a fundamentally different security archi- 
tecture that solves several, seemingly 
contradictory goals: 

• It should have zero impact on the perform- 
ance of the smart phone. 

• It should be invisible to the user, who should 
not be able to bypass any controls. 

• The enterprise should be able to mange 
many different types of smart phones with a 



single management, enforcement and control 
console. 

• Existing corporate security policies should be 
easy to migrate to any entire smart phone 
population in a few hours. 

• It should meet best security practices and 
compliance requirements of many industry 
sectors. 

• Any business should be able to design and 
deploy applications without having to worry 
about the complexities of secure programming 
as is needed even with web applications. 



Any business should be able to design and deploy applications 
without having to worry about the complexities of secure 
programming as is needed even with web applications. 



The mobile security problem is not going away 
because we wish it to. In fact, it is more com- 
plex than ever before and the sheer number of 
users is driving the consumerization of IT and 
the proliferation of these dual-use devices 
faster than any technology in history. 

The control of computing devices has mi- 
grated from the centric to the non-centric and 
back. The intelligence of devices has similarly 
moved from point to point within the IT infra- 
structure and the response of the security in- 
dustry to the hyper speed of technology inno- 
vation and deployment must accommodate 
the new mobile requirements of business, 
government and the consumer. 



I invite readers to consider one approach to 
this massive problem: moving all security con- 
trols and enforcement off of the internal enter- 
prise, the end point devices, the desktop and 
into a secure 'halo' where security comes first 
and application comes second. 

Imagine: a private security cloud where the 
business guys can actually design applica- 
tions with minimal restrictions. Imagine: a sin- 
gle administrative and control point for the 
mobile enterprise. 

There is no need to imagine that this is real - 
because it is. 



Winn Schwartau is Chairman, Board of Directors, Mobile Application Development Partners, LLC and consults 
with private and government organizations around the world. He is an expert on security, privacy, infowar, 
cyber-terrorism and related topics. Schwartau has testified before Congress, advised committees and has 
consulted as an expert witness. 
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The GRC Meeting 2010 aims to 
bring to participants, the main 
challenges that managers involved 
in the areas of IT Governance, 
Risk & Compliance has, in order to 
also share strategies, solutions and 
methods best suited to deal with 
such challenges before, during and 
afterthe global economic crisis. 
With over 20 activities, 2 days' 
duration, with speeches and 
workshops that should add value to 
the business of the participants. 



KB AT WWW.ORC-MEBTlNG.COM 



Security Awareness and Strategy; 
• Risk Management; 
• Identity Management; 
• Business Continuity & Disaster 
Recovery Planning; 
•Auditing & Standards: 
• IT Governance and Risk 
Management; 
•Web 2.0 and the Impact on 
Enterprise Security; 

• Data Privacy; 
• Cloud Security Computing; 

• Identity Theft. 
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The PCI Data Security Standard mandates foundational controls, most of 
which are information security best practices. It is a one-size-fits-all standard 
meant to address all business and technological environments that store, 
process or transmit payment card data. Minimum compliance with PCI stan- 
dards may not adequately protect card data. It is, therefore, necessary to con- 
duct a risk assessment in accordance with PCI requirements. 



Organized crime is in the business of breach- 
ing card data and committing fraud to profit 
from their efforts. Business is booming and 
they are reinvesting. The level of sophistica- 
tion is apparent. One recent breach was iden- 
tified by common point of purchase fraud 
analysis. It took two forensics teams to find 
the source of the compromise. Sniffer malware 
was installed on an unassigned section of a 
server hard drive, outside of the operating sys- 
tem. Hackers are also using malware to col- 
lect unencrypted card data stored in system 
memory. 

Professional hackers are innovative and pa- 
tient. They slowly infiltrate an environment, 
learn how card data flows and subtly probe for 
vulnerabilities. They create custom malware 
unique to the IT environment and test against 
anti-virus software to avoid detection. Next, 
they install the malware and exploit the pay- 
ment application. Once card data has been 
collected, hackers encrypt it and use anti- 
forensic tools to further avoid detection. Highly 
difficult attacks accounted for 95% of all com- 
promised records (bit.ly/BWNI4). Be mindful of 
the threat posed by authorized personnel. In 



addition to malicious insider threat considera- 
tions, internal personnel may introduce vul- 
nerabilities through human error. A malicious 
actor may assume the guise of an employee 
through a technological exploit or compromise 
them through social engineering. 

I. Management support 

Resources are required to conduct a compre- 
hensive risk assessment. Explain the current 
threat landscape to senior management. De- 
termine their risk tolerance and request their 
active support. Assign a dedicated function to 
conduct risk assessments to establish ac- 
countability. In a small organization, it may be 
an alternate duty for a security professional. In 
a medium sized organization, consider hiring a 
full-time security professional. In a large or- 
ganization, a small team should be dedicated 
to technology risk assessment. It will be nec- 
essary to involve members of multiple teams 
to conduct the risk assessment. Consider es- 
tablishing a project to identify participants, 
conduct the assessment and finalize 
remediation. 
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II. Data flows and systems 

Create a data flow diagram that documents 
where payment card numbers are stored, 
processed and transmitted. From the PCI 
Data Security Standard, diagrams should de- 
tail physical and logical data flows, "including 
transmission and processing of card data, 
authorization, capture, settlement, chargeback 
and other flows as applicable" (bit.ly/b7di9). As 



a best practice, scan for payment card data 
outside the PCI environment at least annually. 

Next, establish an inventory to document the 
systems, applications and databases associ- 
ated with each PCI environment. Include de- 
tails such as information owner, data custodi- 
ans, application managers, PCI network scans 
and when the last application assessment was 
conducted. 



Card Brand 


Comments 


Regular Expression 


Visa 


All Visa card numbers start with a 4. 


A 4[0-9]{12}(?:[0-9]{3})?$ 


MasterCard 


All MasterCard card numbers start with numbers 51 
through 55. 


A 5[1-5][0-9]{14}$ 


American Express 


American Express card numbers start with a 34 or 37. 


A 3[47][0-9]{13}$ 


Discover 


Discover card numbers start with 6011 or 65. 


A 6(?:01 1 15[0-9]{2})[0-9]{1 2}$ 



Source: PCI Security Standards Council. 



III. Risk and control assessments 

PCI requirement 12.1.2 includes an annual 
process that identifies threats, and vulnerabili- 
ties, and results in a formal risk assessment. 
To identify threats and vulnerabilities, sub- 
scribe to US CERT advisories, the DHS daily 
cyber report and vendor security alerts. Mer- 
chants can obtain the Visa list of vulnerable 
applications from their acquiring bank. Infor- 
mation security professionals should join the 
U.S. Secret Service Electronic Crimes Task 
Force and FBI InfraGard. ECTF and InfraGard 
are free and provide threat and vulnerability 
advisories. 

The scope of a PCI risk assessment is the 
same as that of a PCI assessment. Follow the 
flow of payment card data in production and 
disaster recovery environments and evaluate 
compensating controls. Conduct a thorough 
risk assessment before implementing new 
technologies such as virtualization or cloud 
computing. 

Conceptualize data flow as a pipe with holes 
in it. Areas of vulnerability include systems be- 
tween encrypted network connections and the 



data flow channel itself such as application 
security attacks that easily pass infrastructure 
security controls. 

IV. Failure Mode and Effects Analysis 

Failure Mode and Effects Analysis (FMEA) is a 
method used to evaluate potential failures 
within a process or system. Analysis includes 
consideration of failure severity, rate of occur- 
rence and detection. FMEA was introduced in 
the 1940s by the US Armed Forces. Later, it 
was adopted by NASA, the Ford Motor Com- 
pany and most recently, Six Sigma 
(bit.ly/KZvHY). 

FMEA is also a practical way to conduct a 
technical risk assessment (bit.ly/cD80M2). 
Depending on the size and complexity of the 
environment, it will take between eight and 
sixteen hours to conduct an FMEA evaluation. 
In large organizations, maintenance of con- 
trols may be assigned to several teams. 

FMEA participants should include representa- 
tives from physical security, system and net- 
work administration, application development, 
information security and operations. 



System 
Component 


Potential 
Failure Mode 


Potential 
Effect(s) of 
Failure 


Severity 


Potential 
Cause(s) of 
Failure 


Occurrence 


Current 
Process 
Controls 


Detection 


RPN 
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System Component: Evaluate each system 
component listed on the card data flow dia- 
gram such as routers, firewalls, servers and 
point of sale systems. 

Potential Failure Mode: For each system, 
determine how card data could be compro- 
mised at physical, network, host and 
application layers. 

• Physical: Consider how card data could be 
stolen in-person such (e.g. by taking a server 
from a computer room). 

• Network: Consider how card data could be 
compromised in transmission over the network 
(e.g. by using sniffer software). 

• Host: Consider how card data could be com- 
promised while in storage or while in system 
memory (e.g. by using malware or a zero day 
attack). 

• Application: Consider how card data could be 
compromised at the application layer (e.g. by 
exploiting a software coding error). 

Potential Effect(s) of Failure: Describe the 
consequences of the failure mode such as 
payment card data being compromised. 

Severity: Enter a numeric rating associated 
with the severity of the failure mode. 

Potential Causes of Failure: Describe poten- 
tial causes of the failure mode. 

Occurrence: Enter a numeric rating to repre- 
sent the probability of the failure occurring. 

Current Process Controls: Describe existing 
controls that detect or prevent failure. 
Detection: Enter a numeric rating to represent 
the probability of the failure being detected. 

RPN: Risk Priority Number = Severity X Oc- 
currence X Detection. 

Use RPN scores to prioritize remediation. The 
highest RPN values correspond to issues with 
the greatest potential for business impact. 

V. Risk assessment scenario 

In this scenario, a large corporation used 
FMEAto conduct a thorough risk assessment 
of their PCI environment. Senior management, 
in partnership with information security and 
audit, defined the following problem state- 



ment: The PCI Data Security Standard (DSS) 
is a publicly available control baseline. Organ- 
ized crime syndicates and their hackers are 
familiar with it. The complexity of an IT envi- 
ronment makes it difficult to maintain in prac- 
tice. For these reasons, it is necessary to con- 
duct a thorough analysis of the cardholder 
data environment to determine where oppor- 
tunities to compromise data are present. This 
approach is also in keeping with the PCI re- 
quirement for an annual risk assessment. As a 
result of FMEA evaluation, the following rec- 
ommendations were made to mitigate risk 
above and beyond PCI DSS requirements: 

Preventive controls: 

Preventive controls are necessary to pro- 
tect card data from compromise. Each con- 
trol environment is unique and compliance 
with PCI requirements alone may not be suffi- 
cient to mitigate the risk of compromise. 

Restrict cardholder environment access to 
company-owned computers. Requirement 
1 .4 permits employee-owned computers to 
connect to the cardholder data environment. 
Employee-owned systems are outside of the 
control of employers and cannot be subjected 
to systematic removal of accesses from a 
payment card data perspective. 

Encrypt data over private, internal net- 
works. Requirement 4.1 addresses encryption 
over open, public networks, stopping short of 
requiring encryption over internal networks. 
There has been a trend of data compromises 
where card numbers have been compromised 
over unencrypted network connections. 

Relying on perimeter security alone is akin to 
"candy security", hard on the outside and soft 
and chewy on the inside. 

Use firewalls to segment card data from 
internal networks. The entire company net- 
work has connectivity to systems that store, 
process or transmit cardholder data, which re- 
sults in costs associated with maintaining con- 
trols and assessment activity in accordance 
with PCI requirements. Segmenting card data 
from unrelated systems takes them out of the 
scope of PCI compliance, reducing risk of 
compromise and the cost of compliance. 
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Further restrict payment card network 
connectivity and traffic flow to protect card 
data. Eliminate the practice of passing full 16 
digit card numbers to the marketing server. 
Truncation is a viable alternative, deleting all 
but the first six and last four digits. Network 
connectivity exists between stores, without a 
supporting business requirement. Restrict 
store network connectivity to the corporate 
data center. 

Require customers to enter their zip code 
at unattended payment terminals. Requiring 
a zip code to process a transaction is a 
method to prevent fraudulent transactions. For 
additional details, research the Address Verifi- 
cation System. 

Detective controls: 

If a breach occurs, it is necessary to learn 
about it early to contain the incident and 
minimize business impact. 

Implement configuration monitoring soft- 
ware to ensure system hardening remains 
in place, in accordance with industry best 
practices. PCI requires system configuration 
standards to be applied with file integrity moni- 
toring to ensure configuration files are not al- 
tered without the system administrator's 
knowledge (requirements 2.2.c and 11.5 re- 
spectively). File integrity monitoring does not 
evaluate whether a system is appropriately 
hardened against attack. 

Implement log monitoring software to de- 
tect security events. Log harvesting, parsing, 
and alerting tools are listed as optional for 
monitoring logs in requirement 10.6. It is not 
practical to conduct manual log reviews daily. 
In a recent report, 66 percent of victims had 
sufficient evidence available within their logs 
to discover the breach had they been more 
diligent in analyzing such resources 
(bit.ly/BWNI4). Implement log monitoring soft- 
ware and a process to ensure alerts are 
monitored and responded to. 

Include a testing component to evaluate 
comprehension of security topics and pol- 
icy. Requirement 1 2.6.1 .b addresses em- 
ployee security awareness training upon hire 
and at least annually. As a best practice, test 
each employee's comprehension through the 



use of a questionnaire. A social engineering 
penetration test can be used as an alternate 
testing component. 

Scenario conclusion 

The above section is not intended to be an 
exhaustive analysis of PCI requirements. In- 
stead, it is an example of findings from a risk 
assessment. Conduct feasibility studies for 
each FMEA recommendation. Determine the 
cost of a solution and technology constraints 
such as performance impact from encryption. 

Management should be aware of inherent risk 
to make informed decisions before feasibility 
and cost decisions are made without their 
knowledge. 

In this example, senior management had a 
low risk tolerance due to compromises in the 
industry and related business impact to the 
affected companies. In the risk community, the 
term Black Swan refers to events with the po- 
tential for severe impact to business and a low 
rate of occurrence (bit.ly/3zz8nG). Business 
continuity planning is an example of prepara- 
tion for a Black Swan. Risk assessments are 
necessary under the same rationale. 

VI. Provide guidelines for risk mitigation 

When a risk assessment identifies a vulner- 
ability that exceeds the risk tolerance of your 
organization, it is necessary to address the 
gap. Here is a listing of controls that mitigate 
risk above and beyond PCI requirements: 

Implement two-factor authentication to re- 
strict access to PCI systems from the in- 
ternal network. Requirement 8.3 addresses 
two-factor authentication for remote access 
originating from outside the network. Use of 
the same technology internally helps prevent 
compromise from unauthorized personnel by 
minimizing the risk of password disclosure. 

Implement Network Behavior Analysis 
(NBA) to detect unusual activity. NBA moni- 
tors for changes in established network traffic 
patterns. It is particularly useful for detecting 
malware or other malicious activity. NBA can 
detect if a system passes traffic to another 
system for the first time or when an unusually 
large file is transmitted. It can also send alerts 
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when a new protocol is used. 

Use application whitelisting to protect 
against malware and viruses. Whitelisting 
allows authorized programs to run and blocks 
all others. It takes the opposite approach to 
signature based anti-virus software, which 
blocks known exploits. Whitelisting can effec- 
tively block polymorphic viruses, which 
change each time they run. 

Use Data Loss Prevention (DLP) to prevent 
leakage of card numbers over unauthor- 
ized networks. Implement DLP at network 
choke points such as an Internet network con- 
nection. Use host-based DLP to detect card 
numbers stored outside of the PCI environ- 
ment and to prevent data loss through USB 
flash drives. 

Use Database Activity Monitoring (DAM) to 
monitor database queries for malicious ac- 
tivity. After establishing a baseline, configure 
DAM to deny requests for more than a certain 
number of card numbers. DAM also includes 
audit trail functionality and can record a history 
of queries. 

Use tokenization to replace Primary Ac- 
count Numbers (PANs) as unique identifi- 
ers. Tokens reduce the risk and cost associ- 
ated with processing card transactions. PCI 
compliance requirements are tied to PANs. 
Tokenization can be used as an effective 
scope reduction technique. 

Conduct an adversarial security assess- 
ment. Compliance is the first level of maturity. 
Risk management is the second. As a final 
level of maturity, conduct a thorough, un- 
scripted, adversarial assessment that exceeds 
the PCI requirement for a penetration test. For 
example, use an elite information security firm 
to align techniques with organized crime re- 
sources. When a physical or technological 
barrier challenges core capabilities, engage 
additional resources to penetrate further. Con- 
duct the assessment over a month or more. 
Include social engineering within the scope of 
the test. The above techniques may be cited 
as compensating controls, depending on the 



situation. Document optional controls as com- 
pany guidelines for securing payment card 
data. 

VII. Report and present 

Consider each PCI environment with a focus 
on operational risk. Do not skew results of an 
assessment for financial or political reasons. A 
decision made at the business unit or line of 
business level can impact the organization as 
a whole in the event of a compromise. Trans- 
parency is warranted. Executives should de- 
termine risk tolerance and have ultimate con- 
trol of the budget and funding. 

Finalize the risk assessment report with em- 
pirical data to support development of a busi- 
ness case for funding. Refer to the ISACA 
Risk IT Framework for industry standard 
methods to communicate risk. Present find- 
ings to executive management, including on- 
going remediation and plans for the next risk 
assessment. Funding for security enhance- 
ments should be deducted from the cost cen- 
ter associated with revenue for the related 
product or service. 

VIII. Conclusion 

In the years that follow, consider using an ex- 
ternal firm with PCI experience to lead the risk 
assessment. Use of an independent third 
party helps ensure risk assessment is com- 
prehensive, versus a "check the box" exercise. 
Rotate methodologies each year. For exam- 
ple, use a PCI Qualified Security Assessor 
one year and an information security firm the 
next. 

Organized crime represents an Advanced 
Persistent Threat to PCI environments. It is 
impossible to secure payment card data with 
absolute certainty. Maintain compliance with 
PCI requirements and remediate risk assess- 
ment findings. There is severe reputational 
damage and financial impact associated with 
a payment card data compromise. Each or- 
ganization must protect card data in accor- 
dance with business objectives. Failure is not 
an option. 



Gideon T. Rasmussen (www.gideonrasmussen.com), CISSP, CISA, CISM, CIPP is a Charlotte-based 
Information Security Manager with over 10 years experience in Fortune 50 and military organizations. 
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Malware world 



Infected flash drive blamed for US military breach 




The most significant computer systems' breach in U.S. military history dates 
back to 2008, when malicious code contained in a flash drive infected a laptop 
of a military official posted in the Middle East, and spread further to the 
network of the U.S. Central Command. The code in question was put on the 
drive by operatives of a foreign intelligence agency, most likely Russian, 
(www. net-security.org/malware_news. php?id=1 442) 



Nearly 3 million undetected "Hot Video" pages pushing fake AV 



We've seen many fake YouTube pages redirecting to fake antivirus 
software downloads in the past. However, we're now seeing this same 
phenomenon with a new twist: Google has indexed nearly 3 million "Hot 
Video" pages - all pushing fake AV. Yandex, a Russian search engine, 
also returns numerous links to these pages for random searches. The 
fake Youtube video page is covered by an invisible Flash layer and the 
Flash object automatically redirects the user to a fake AV page. If the 
user has Flash disabled, the page becomes harmless. The URL of the 
Flash file, hosted on a different domain, is obfuscated with Javascript. 
(www.net-security.org/malware_news. php?id=1 441 ) 
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rviaiware peauiers engaged in ceieDniy mass Killings 




Fram; 

Subject: Karwe West Fad Car Crash 


Plane crashes and car accidents are the preferred 
methods of killing off celebrities in order to lure 
email recipients into opening a malicious 
attachment. Beyonce Knowles, Brad Pitt, Jennifer 
Ani^ton .lohnnv Dpnn - thp^p arp iu^t a fpw of thp 
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names rotated in the template emails sent in this 
recent malicious spam run, professing that the 
celebrity in question was killed, (www.net- 
security.org/malware_news. php?id=1 440) 


Attach: (D - Hot Miw-zo (27.2 K8) 


RorsaJdiriho was killed in an automobile accident near Sens^ France. 
Please find attach 









U.S. military personnel targeted by malware 

U.S. military personnel is targeted by cybercriminals. Fake 
email purportedly coming from Bank of America is asking 
holders of Military Bank accounts to update them by following 
the given link. According to Trend Micro, the link takes them 
to a very faithfully recreated bank login page, where they 
must enter their account username and password. 
(www.net-security.org/malware_news. php?id=1 439) 
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Rogue AV uses legitimate uninstallers to cripple computers 



0 



The fact that some rogue AV solutions 
try to prevent the real ones from doing 
their job is widely known in the security 
community, but CoreGuard Antivirus - 
a "popular" fake AV solution - has been 
spotted utilizing legitimate software 
uninstallers to trick users into 
uninstalling their legitimate security software, (www.net-security.org/malware_news. php?id=1 437) 



Uncerbf »ed Symantec jptivf us *cftw*B detected at yaw tOfrtxier Vc*i r*t*d to 

remove Symantec software for correct opef atioo of the Antrvras. 

Attenhon : you dent remove Symantec software, the performance or your computes 

w* *snwtit4ly ctej ade. 

p>e« "C*r to renews (he svmwtK. 
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ICQ worm spreads like fire 



A new worm is targeting ICQ users, but apart from spreading itself by taking 
control of the ICQ application of the victim to send out more of the same 
messages and a file transfer request for an executable called snatch.exe, so far 
the worm does not appear to damage affected computers in any major way. 

(www.net-security.org/malware_news. php?id=1 435) 




Android game hides spying application 




fc* GPSS ". ....... ,_„.,-. ^ 

Download and install the free Tap Snake game from 
the Market to the phone you want lo spy on. Press 
MENU and register the Snake with trie service. 

Use the CPS Spy app on your phone with the same 
email code to track the location of the other phone. 


If you have a game called Tap Snake on your Android handset and you 
weren't the one who installed it, you are probably getting spied on by 
someone who had physical access to your device. 
(www.net-security.org/malware_news. php?id=1 432) 
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5 million domains serving malware via compromised Network Solutions 
widget 



A recent rise in the number of Armorize's customers' sites getting 
flagged by their own drive-by downloads and zero-day malware 
threats detection service HackAlert has led the the company 
researchers to the discovery of a compromised widget provided by 
Network Solutions. 

(www.net-security.org/malware_news. php?id=1 431 ) 




3,000 online banking customers robbed through targeted ZeuS attack 




It took only a month to compromise some 3,000 private and business accounts 
with one of the largest financial institutions in the U.K. The criminals were able to 
leverage vulnerabilities found in the users' browsers and compromised websites 
in order to install Eleonore and Phoenix exploit kits into the machines, which only 
lead to a further installation of the latest variant (v3) of the well-known ZeuS 
Trojan, (www.net-security.org/malware_news. php?id=1 430) 



First SMS Android Trojan 



The first SMS Trojan made specifically for smartphones running 
Google's Android OS has been detected by Kaspersky, and it seems 
that many devices have been infected already. The Trojan 
masquerades as an innocuous media player application and it 
misuses the Windows Media Player icon, 
(www. net-security.org/malware_news. php?id=1 427) 




.androiflappllcat... 



Allcwihisapplicattonlo; 
A Phone calls 

A Services thjt com you mc-ney 



How can I know if my computer is infected? 10 signs of infection 



Users are often advised to use an antivirus to check if their systems are infected, 
but with the current cybercrime scenario, this is not enough. It takes a least a 
basic grasp of security issues to work out if a computer is infected, and many 
first-time users have little or no idea. While many of today's threats are designed 
specifically to go undetected, there are still some tell-tale signs that a system has 
been compromised, (www.net-security.org/malware_news. php?id=1 421) 



ZeuS variants hide behind snatched certificates 

Copying certificates from legitimate files and mimicking signatures from 
certificate authorities is certainly not a new tactic in the cybercriminals' 
arsenal, but is one that seems to gain traction. The latest example comes 
from Trend Micro's researchers, who detected a bunch of suspicious files 
whose signature seemed to belong to Kaspersky, the well-known security 
company, (www.net-security.org/malware_news. php?id=1 420) 
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Security as a process: 

Does your security team fuzz? 

by Dan Sherman 



x 




Few days go by without news stories in which our nation's (un)preparedness 
to defend against cyber attacks is criticized. Though some criticism can be 
dismissed as political, the criticism of our nation's cybersecurity plan is 
fundamentally valid. 



But, how can such an economically and mili- 
tarily powerful nation be so ill-prepared to 
counter a large-scale cyber attack? 

The answer is simple: the complexity of the 
cyber threat isn't fully understood by many 
high-ranking officials in both the government 
and private sectors. Either they don't compre- 
hend the transformational nature of cyber 
warfare, or they don't understand the weighty 
ramifications of falling victim to an attack. As a 
direct consequence of this limited understand- 
ing, there are numerous existing guidelines 
and regulations that are either not enforced, 
or not enforced uniformly. 

When cybersecurity first emerged as a disci- 
pline, it was focused on countering malicious 
attacks on large groups of users such as de- 
partments or institutions. However, with the 
onset of new technologies, the individual, 



rather than the institution, has become the 
new target for attack. 

Vulnerable applications 

As the number of smartphones and personal 
devices on any given network steadily in- 
creased over the years, so did the number of 
applications developed for those devices. 

What was once a daunting task reserved for 
professional programmers, has now been 
simplified, allowing practical novices to de- 
velop and publish applications. And because 
amateur programmers are usually less in- 
clined to include security into the development 
lifecycle, the increased number of application 
programmers has lead to an expanding num- 
ber of vulnerable applications. Application 
layer attacks are also increasing in numbers. 
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Firewalls and operating systems usually get 
patched regularly but the same thing cannot 
be said for applications. You only need to look 
at the number of instances of malicious PDF 
files being used to compromise computer sys- 
tems, to know that this assertion is true. 

Malicious links and the social Web 

Application vulnerabilities are just the tip of 
the iceberg. Malicious links - especially those 
planted within social networking websites - 
are becoming increasingly difficult for the 
untrained eye to spot. 

Cyber criminals are certainly taking advan- 
tage of these users. They use old attack 
methods but add to them the social compo- 
nent. The use of social engineering against 
targeted individuals has become the easiest 
and most efficient attack technique. Why? 
Because it is relatively simple to trick an un- 
trained user into entering a website by clicking 
on a malicious link. And these links lead to 
websites where the user may again be tricked 
into entering personal information or opening 
a malicious file. 



Reconnaissance 

When a cyber criminal sets out to attack, he 
does some research first. This process usu- 
ally starts with gathering information about the 
targeted company, or more specifically, its 
employees. 

A basic web search allows the criminal to dis- 
cover a wide range of information about an 
individual. A simple email address can lead 
him to a Linkedln account, which may then 
lead to a social network account where an 
abundance of personal information can be 
found. This process continues until every 
piece of information that can be used to 
mount a targeted attack is discovered. The 
effective use of this information will allow the 
attacker to access the network and to start 
exploiting it actively. 

Some cyber criminals also create hacking 
toolkits, which allow less technically savvy 
criminals to get their piece of the online action 
by hacking networks or creating a botnet with 
relative ease. 



SOME CYBER CRIMINALS ALSO CREATE HACKING 
TOOLKITS, WHICH ALLOW LESS TECHNICALLY SAVVY 
CRIMINALS TO GET THEIR PIECE OF THE ONLINE ACTION. 



Identifying vulnerabilities 

Traditionally, companies have dedicated sub- 
stantial resources to tactics such as penetra- 
tion testing as a way to identify vulnerabilities 
that can be patched. 

Although penetration testing is an important 
piece of the security puzzle, it is becoming 
much less important as time goes by and the 
need for a more fluid and flexible defense be- 
comes apparent. Penetration testing is much 
like an incremental patch to fix a one-time 
problem; it is a static solution to a dynamic 
threat. 

Changes in the cyber landscape demand that 
companies focus on security as a process, 
not as a one-time fix. Security must become 



an integral part of the development lifecycle. 
Penetration testing will still play a role in cy- 
bersecurity; however, it needs to be supple- 
mented by additional measures such as 
source code audits, vulnerability assessments 
and fuzz testing. 

Does your security team fuzz? 

Fuzz testing, or "fuzzing," is a term that was 
coined by Professor Bart Miller of University 
of Wisconsin, Madison, back in 1988. While 
he was remotely connected through his mo- 
dem to the terminal of a Unix machine during 
a thunderstorm, he noticed that certain appli- 
cations that he was executing were crashing 
due to the noise on the line - noise that he 
called "fuzz." 
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At its most basic level, the act of fuzzing 
means taking an arbitrary set of data and put- 
ting it into a field. This process begins with a 
fuzzer, which injects the randomly generated 
data into an application input field or stream. 

The intent is to send the unexpected data 
stream as input to determine how the applica- 
tion will respond. If the application crashes, 
testers know that there is a possibility that it is 
susceptible to malicious code execution. 

Dumb or smart fuzzing 

There are many types of fuzzers, but they can 
generally be categorized as either smart fuzz- 
ers or dumb fuzzers. For example, a dumb 
fuzzer will send random UDP write packets to 
a TFTP server, and then wait for the applica- 
tion to crash. 



A smart fuzzer is a bit more involved. It sends 
a challenge, waits for a valid response, builds 
the next packet, sends it back to the server, 
has an agent to log the crash, memory dump, 
packet dump, and then restarts the entire 
process from the beginning. The smart fuzzer 
also has the capability to analyze the crash to 
determine if the possibility for code execution 
exists. 

Fuzzers - smart or dumb - are relatively easy 
to run. However, the smarter they are, the 
longer they take to write and configure - es- 
pecially if you want maximum coverage. 

Why is fuzzing useful? It is useful because 
you normally don't have access to the source 
code and you gain the capability of finding 
vulnerabilities without reverse engineering or 
trying to decompile the application. 



THE CYBERSECURITY PUZZLE HAS MANY PIECES, AND 
IT SEEMS THAT AS SOON AS YOU THINK YOU HAVE 

COMPLETED THE PUZZLE ANOTHER THREAT EMERGES. 
IF THAT'S THE CASE, THEN THE CYBERSECURITY 
PUZZLE CAN NEVER BE COMPLETED. 



For example, many websites require a user- 
name and password combination to activate 
specific user account information. Both the 
username field and the password field are ex- 
pecting a certain number of characters to be 
validated in order for the user to proceed. 

If you were to subject this application to fuzz 
testing, you could send a string of 30 "A"s into 
the username field. This field may not be ex- 
pecting 30 "A"s, and could possibly cause a 
crash. It is possible to also send JavaScript 
tags while fuzzing, which would enable you 
find a SQL injection, or cross-site scripting 
attack. 

Many developers use JavaScript to validate 
the fields of input on a website in order to re- 
strict the user from entering more than a set 
number of characters. However, this restric- 



tion is easily bypassed and should not be 
used as the only form of input validation. The 
threat to web applications via SQL injection or 
cross-site scripting will only become more 
prevalent in the coming months and years. 

The cybersecurity puzzle has many pieces, 
and it seems that as soon as you think you 
have completed the puzzle another threat 
emerges. If that's the case, then the cyberse- 
curity puzzle can never be completed. 

With that in mind, it is important to have a 
plan for a quick recovery, along with the ability 
to maintain the integrity of the data you are 
trying to protect. Because, in today's cyber 
world, it is not a matter of whether you will be 
penetrated - it is a matter of when. 



Dan Sherman is the information assurance research lead with Telos Corporation (www.telos.com). He can be 
reached at dan.sherman@telos.com or on Twitter @0xjudd. 



www.insecuremag.com 



54 



SearchSecurity.co.UK: 
Your One Stop Shop for 
All Things Security 

IT security pros based in the UK turn to 
SearchSecurity.co.UK for the information 
they require to keep their corporate data, 
systems and assets secure. We're the only 
information resource that provides UK 
specific case studies and technical advice, 
immediate access to breaking industry 
news, virus alerts, new hacker threats and 
attacks, security standard compliance, 
videos, webcasts, white papers, podcasts, 
a selection of highly focused security 
newsletters and more — all at no cost. 

Activate your FREE membership today! 
www.SearchSecurity.co.LIK 
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Book revie.. 
Designing Network Security, 2nd Edition 

by Zeljka Zorz 




Authors: Merike Kaeo I Pages: 768 I Publisher: Cisco Press I 



Designing Network Security is a book that will 
teach you how to secure your corporate net- 
work infrastructure. Starting with security fun- 
damentals, you'll learn how to define a secu- 
rity policy for your enterprise and how to im- 
plement it, then finish with learning from ex- 
amples of practical implementation concerning 
physical and network infrastructure. 

About the author 

Merike Kaeo is a consultant focusing primarily 
on security-related products and network de- 
sign solutions. She has been in the network- 
ing industry more than 15 years. 

She was employed by Cisco Systems for 7 
years, where she worked primarily on techni- 
cal issues relating to router performance, net- 
work routing protocols, network design, and 
network security. 

Inside the book 

The first part of this book is dedicated to secu- 
rity fundamentals. First, you'll learn some 



things about cryptography, and after a few 
words about authentication, authorization and 
key management, you are ready to tackle a 
chapter on security technologies and another 
one on how these technologies are applied to 
networks. 

Before starting to design a security policy, you 
must understand what threats you are facing. 

If you have been keeping abreast of the threat 
landscape, you can skip this part and go 
straight to a handy chapter which will tell you 
where to begin when deciding on a security 
policy (usually, with the existing security 
guidelines), impress upon you the importance 
of assessing your assets and the risks tied to 
them, and make you cherish the 5 main 
elements of a security architecture. 

A corporate security policy must define physi- 
cal and logical security controls and ensure 
data confidentiality and integrity - as well as 
the integrity of the entire system. 
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Defining policies and procedures for the staff, 
and developing and implementing security 
training for them is also something to take into 
consideration. 

The most important part of the book is the 
third, where you learn how to secure your cor- 
porate infrastructure, Internet access, remote 
dial-in access and various kinds of networks 
(VPN, VoIP, wireless) by configuring routers, 
switches, firewalls and network access serv- 
ers. 

Of course, this being a Cisco book, the de- 
vices described are those manufactured by 
the company, but the same things apply to 
devices from other companies - most of them 
have very similar features. Lists of commands 
and samples of configuration processes are 
given, along with warnings about potentially 
tricky situations if you forget to do something. 



Each chapter is sprinkled with notes used to 
point out particular issues which a lot of peo- 
ple are not often clear on, and end with a 
short summary and review questions. A cou- 
ple of appendixes about prevention of indus- 
trial espionage and mitigation of DDoS attacks 
are a welcome addition. 

First published in 2004, this book has been 
revised and reviews of new security features 
and trends have been added. 

Final thoughts 

Designing Network Security is a formidable 
tome made for a specific purpose - to learn all 
the things you need to know when designing 
and implementing a corporate security policy. 
If you are looking for a light read that will sum 
up network security, this is not the book for 
you. 



Zeljka Zorz is a News Editor for Help Net Security and (IN)SECURE Magazine. 




.' www.t wi tter.com/helpnetsecurity 
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Security videos 



BlindElephant: Open source web application fingerprinting engine 

(www.net-security.org/article. php?id=1 472) 

Patrick Thomas, a vulnerability researcher at Qualys, discusses the open source web application 
fingerprinting engine BlindElephant. 

Secure by design (www. net-security.org/article. php?id=i 466) 

David Grant, the Director of Security Solutions at IBM Rational, talks about how software is the 
invisible thread in a lot of innovations that enhance the quality of our lives. 

Security B-Sides: The anti-conference (www.net-security.org/article.php?id=i473) 
Security B-Sides co-founder Chris Nickerson talk about the concept and history behind the event, 
what's happening this year, as well as some future plans. 

SSL Labs: Researching the technology that protects the Internet 

(www.net-security.org/article. php?id=1 476) 

Ivan Ristic talks about SSL Labs - a non-commercial research effort and collection of documents 
and tools related to SSL. It's an attempt to better understand how SSL is deployed, and an at- 
tempt to make it better. Ivan is the director of engineering at Qualys and principal author of Mod- 
Security, the open source web application firewall. 
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SECURITY AND 
HACKER CONFERENCE 

BRUSSELS, 24 & 25 September 2010 

WWW.BRUCON.ORG 
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y and hacker conferenc 
providing two days of an interesting atmosphere for open 
discussions of critical infosec issues, privacy, information 
technology and its cultural/technical implications on society. 



Organized in Brussels, BruCON offers a high quality line up of 
speakers, security challenges and interesting workshops. 

More information available at http://www.brucon.org 
Sponsors Mediapartners 



Want to become a partner or sponsor of a great event? 
Contact us via http://www.brucon.org 



Intelligent security: 
Countering sophisticated fraud 

by Pat Carroll 




The sophistication and increasingly widespread use of advanced fraudulent 
techniques such as Man-in-the-Middle and Man-in-the-Browser - two threats 
that traditional strong authentication techniques struggle to address - has 
forced banks and other organizations to re-think their approach to combating 
electronic fraud. 



Customer authentication - No longer 
a sufficient means of protection 

A number of high-profile fraudulent incidents 
in recent years have raised awareness of 
electronic fraud from the backroom to the 
boardroom, while also signaling a shift in elec- 
tronic security strategy in terms of both a ho- 
listic, multi-channel approach, and a re- 
evaluation of what 'customer authentication' 
actually provides. 

The real impact of Man-in-the-Middle (MitM) 
and Man-in-the-Browser (MitB) attacks has 
been the realization that customer authentica- 
tion, including strong multi-factor authentica- 
tion, while being sufficient for certain transac- 
tions, cannot by itself prevent MitM and MitB 
attacks. Relying on a sophisticated combina- 
tion of (usually client-side) injection attacks 
and impersonation of legitimate content or 
communication by an attacker, traditional end- 



point computer security measures can leave 
the end user vulnerable to fraud from attack- 
ers using the MitM and MitB approach. There- 
fore, these attacks have necessitated the re- 
quirement for 'Out-of-Band (OOB) Transaction 
Verification' in addition to strong authentica- 
tion. 

A typical MitB attack, such as the infamous 
'Torpig', will involve the modification of web 
pages, modification of transaction content, or 
the insertion of additional transactions, all 
done in a completely covert fashion, invisible 
to both the user and the host application. So, 
while to an online banking customer it may 
appear that, for example, a certain sum of 
money has been transferred between bank 
accounts, they have actually been presented 
fake web pages, while the MitB attack has 
manipulated the transaction and diverted 
funds elsewhere. 
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However, the introduction of an OOB solution 
allows the end user to verify a transaction in 
real-time via (for example) a phone call that 
replays the transaction received by the bank 
so that the customer can confirm whether 
transaction integrity has been preserved. 

Out-of-Band Transaction Verification verifies 
the integrity of the transaction itself, alerting 
the customer to any corruption of or tampering 
with the genuine transaction content, or even 
the creation of additional fraudulent transac- 
tions, thereby preventing the customer from 
unwittingly authorizing such transactions. 

Automating the resolution process of 
Transaction Anomaly Detection (TAD) 

Potentially fraudulent transactions, identified 
and intercepted by TAD or risk engines, re- 
quire resolution of the potential anomaly. Typi- 
cally, anomaly resolution is performed manu- 
ally after the event. This involves an employee 
of a bank or call centre contacting customers 
by telephone in order to ascertain whether 



they have indeed performed a specific on-line 
transaction. This process is costly, unreliable 
insofar as actually making contact with the 
customer and insecure, as it involves a man- 
ual telephone call that could reveal security 
credentials to unknown third parties. 

As electronic banking channels increasingly 
move to real-time transaction processing, the 
timeframe for dealing with anomalous transac- 
tions must also occur in real-time, i.e. before 
the transaction is committed. The introduction 
of Faster Payments in the UK in late 2007 is a 
case in point. 

However, by automating the anomaly resolu- 
tion process, and performing it in real-time, 
banks can overcome all of the present issues 
associated with manual follow-up, while also 
complying with real-time payments initiatives 
in a secure, timely and cost-effective manner. 
To securely automate this process requires 
transaction verification in addition to strong 
authentication, as it will increasingly be the 
transaction content that triggers the anomaly. 



A combination of negative press, potential litigation and a perceived inability of 
institutions to offer a viable or convincing solution can bring to an escalation in 
the defection away from Internet banking. 



Consumer confidence 

Recent figures from the Financial Fraud Action 
(ukpayments.org.uk/files/fraud_the_facts_201 
O.pdf) show that fraud losses from online 
banking rose 132 percent between 2007 and 
2008 to £52.5 million, and then rose a further 
14 percent in 2009 to £59.7 million. The UK 
Cards Association (tinyurl.com/36gqlvv) attrib- 
utes this rise to the more sophisticated mal- 
ware attacks used by criminals targeting on- 
line banking customers. The high media pro- 
file of these security issues represents a sig- 
nificant opportunity for those banks to address 
the concerns of the public. 

In addition to the direct fraud loss, banks can 
expect equal or even higher financial impact 
as a result of the associated administration 
costs. Furthermore, fraud issues in general 
may act as a significant barrier to potential 
customers, impacting on customer-base 
growth. 



The sophisticated fraud now in evidence has 
the potential to further erode consumer confi- 
dence. A combination of negative press, po- 
tential litigation and a perceived inability of in- 
stitutions to offer a viable or convincing solu- 
tion can bring to an escalation in the defection 
away from Internet banking. 

For those banks that seize the initiative in 
terms of offering truly secure Internet banking, 
there is also a clear opportunity, not just in re- 
ducing transactional costs within their existing 
customer base, but also in attracting new cus- 
tomers who are not offered similar secure 
services by their present financial institution. 

These figures indicate a sizeable latent de- 
mand for secure Internet banking and a rea- 
son why security will be viewed as a signifi- 
cant differentiator between institutions. 
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Strong security for wider business 
enablement 

Combining strong authentication with transac- 
tion verification provides the security neces- 
sary to ensure the integrity of a transaction 
and the identity of the user. This, in effect, 
creates a business-enabling technology that 
allows organizations to exploit the cost- 
effective Internet channel by allowing their 
customers to perform more self-service 
functions. 

Transactions that traditionally have not been 
considered suitable for online processing, 
such as customer or account maintenance 
processes e.g. change of address forms or 
loan applications, that carry a high risk, can 
now be considered for migration to the Inter- 
net channel. Not only will the security afforded 
create a more consistent, accurate, and timely 
and secure process than the corresponding 
manual practices in place today, but it also 



empowers customers and creates potentially 
significant cost savings for the institution. 

Intelligent security - Predict, prescribe, 
preempt 

Using real-time, connected authentication 
models through telephony offers institutions 
intelligent options not available through static, 
disconnected devices. Indeed, a rules engine 
with dynamic rules (or triggers) can be applied 
to assess any transaction in real-time, forcing 
an authentication/verification when invoked. 

Technologies such as transaction recording 
and biometric voice verification for non- 
repudiation, and operator breakout for poten- 
tially fraudulent transactions can all be com- 
bined to provide an exceedingly rigorous risk 
and compliance strategy, combining prediction 
of threat, prescription of countermeasure and 
preemption of attack. 



Pat Carroll is the CEO of ValidSoft (www.validsoft.com). Prior to founding ValidSoft, he was Head of Electronic 
Trading Technology in Europe for Goldman Sachs International. In addition, he also performed the role of Co- 
Head of European Equities Technology and worked in an advisory capacity (technical due-diligence) with the 
Investment Banking Division of Goldman Sachs. 
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